Failed to `cd` into a folder whose name includes `'` and space simultaneously

notroj / cadaver

Command-line WebDAV client

GNU General Public License v2.0

85 stars 8 forks source link

Failed to `cd` into a folder whose name includes `'` and space simultaneously #44

Open marsjane opened 3 months ago

marsjane commented 3 months ago

> mkdir aa's\ b
Creating `aa's b': succeeded.
dav:/Digital/> ls
Listing collection `/Digital/': succeeded.
Coll:   aa's b                                 0  Jul 17 09:30
dav:/Digital/> cd aa's b 
The `cd' command takes at most 1 argument:
  cd path : Change to specified collection
dav:/Digital/> cd aa's\ b 
Could not access /Digital/aa%27s%20b/ (not WebDAV-enabled?):
Did not find a collection resource.

notroj commented 3 months ago

I think, but am not 100% sure, this is a mod_dav bug.


MKCOL /dav/aaa%27bbb/ HTTP/1.1
User-Agent: cadaver/0.25-dev neon/0.33.0
Connection: TE
TE: trailers
Host: localhost

[status-line] < HTTP/1.1 201 Created
...

PROPFIND /dav/aaa%27bbb/ HTTP/1.1
User-Agent: cadaver/0.25-dev neon/0.33.0
Connection: TE
TE: trailers
Host: localhost
Depth: 1
Content-Length: 288
Content-Type: application/xml

...

<D:multistatus xmlns:D="DAV:" xmlns:ns1="http://apache.org/dav/props/" xmlns:ns0="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/" xmlns:g0="DAV:" xmlns:g1="http://apache.org/dav/props/">
<D:href>/dav/aaa'bbb/</D:href>
<D:propstat>
<D:prop>
<lp1:getlastmodified>Wed, 17 Jul 2024 11:39:08 GMT</lp1:getlastmodified>
<lp1:resourcetype><D:collection/></lp1:resourcetype>

notroj commented 3 months ago

To be honest a lot of the escaping/unescaping code in cadaver was designed completely wrong, so it might be a cadaver bug.

The issue here is that ' is a reserved character and mod_dav is not escaping it in the response, unlike e.g. ? - similarly a reserved character and correctly URI-escaped if it is used in a path name.

notroj commented 3 months ago

Can you please file a mod_dav bug for this, I will try to look at it in more detail.

https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_dav

notroj commented 3 months ago

https://www.rfc-editor.org/rfc/rfc9110.html#name-https-normalization-and-com

sasys specifically

Characters other than those in the "reserved" set are equivalent to their percent-encoded octets: the normal form is to not encode them (see Sections 2.1 and 2.2 of [URI]).

so it is not obvious to me that the RFCs require that "http://localhost/foo'bar" and "http://localhost/foo%27bar" compare as equivalent

marsjane commented 3 months ago

Sorry for the later reply, I just read above and go to try cd aa%27s\ b but I still cannot cd into this folder aa's b, should I file the bug to mod_dav as you required above?