knotserver: allow downloading archives of refs with slashes in their names #441

···

       
361
       
361
       
 
       


     

       
362
       
362
       
 
       
	ref := strings.TrimSuffix(file, ".tar.gz")

     

       
363
       
363
       
 
       


     

       
364
       
364
       
+
       
	unescapedRef, err := url.PathUnescape(ref)

     

       
365
       
365
       
+
       
	if err != nil {

     

       
366
       
366
       
+
       
		notFound(w)

     

       
367
       
367
       
+
       
		return

     

       
368
       
368
       
+
       
	}

     

       
369
       
369
       
+
       


     

       
370
       
370
       
+
       
	safeRefFilename := strings.ReplaceAll(plumbing.ReferenceName(unescapedRef).Short(), "/", "-")

     

       
371
       
371
       
+
       


     

       
364
       
372
       
 
       
	// This allows the browser to use a proper name for the file when

     

       
365
       
373
       
 
       
	// downloading

     

       
366
       
366
       
-
       
	filename := fmt.Sprintf("%s-%s.tar.gz", name, ref)

     

       
374
       
374
       
+
       
	filename := fmt.Sprintf("%s-%s.tar.gz", name, safeRefFilename)

     

       
367
       
375
       
 
       
	setContentDisposition(w, filename)

     

       
368
       
376
       
 
       
	setGZipMIME(w)

     

       
369
       
377
       
 
       


     

       
370
       
378
       
 
       
	path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r))

     

       
371
       
371
       
-
       
	gr, err := git.Open(path, ref)

     

       
379
       
379
       
+
       
	gr, err := git.Open(path, unescapedRef)

     

       
372
       
380
       
 
       
	if err != nil {

     

       
373
       
381
       
 
       
		notFound(w)

     

       
374
       
382
       
 
       
		return

     
···

       
377
       
385
       
 
       
	gw := gzip.NewWriter(w)

     

       
378
       
386
       
 
       
	defer gw.Close()

     

       
379
       
387
       
 
       


     

       
380
       
380
       
-
       
	prefix := fmt.Sprintf("%s-%s", name, ref)

     

       
388
       
388
       
+
       
	prefix := fmt.Sprintf("%s-%s", name, safeRefFilename)

     

       
381
       
389
       
 
       
	err = gr.WriteTar(gw, prefix)

     

       
382
       
390
       
 
       
	if err != nil {

     

       
383
       
391
       
 
       
		// once we start writing to the body we can't report error anymore