fileserver: Use EscapedPath for browse (#5534)

* fileserver: Use EscapedPath for browse Fix #5143 * Fixes if filter element is not present * Remove extraneous line
author: Matt Holt <mholt@users.noreply.github.com> 2023-05-15 10:48:05 -0600
committer: GitHub <noreply@github.com> 2023-05-15 10:48:05 -0600
commit: 52d7335c2b1b8424e8971a9b03f51a5f36583535 (patch)
tree: 23ea631b9bece465b9cfa35367099fe373b6afdd /modules/caddyhttp/fileserver/browse.go
parent: 96919acc9d583ef11ea1f9c72a9991fb3f8aab9f (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/caddyhttp/fileserver/browse.go b/modules/caddyhttp/fileserver/browse.go
index e1a0894..7cb6e40 100644
--- a/modules/caddyhttp/fileserver/browse.go
+++ b/modules/caddyhttp/fileserver/browse.go
@@ -82,8 +82,8 @@ func (fsrv *FileServer) serveBrowse(root, dirPath string, w http.ResponseWriter,
 
 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 
-	// calling path.Clean here prevents weird breadcrumbs when URL paths are sketchy like /%2e%2e%2f
-	listing, err := fsrv.loadDirectoryContents(r.Context(), dir.(fs.ReadDirFile), root, path.Clean(r.URL.Path), repl)
+	// TODO: not entirely sure if path.Clean() is necessary here but seems like a safe plan (i.e. /%2e%2e%2f) - someone could verify this
+	listing, err := fsrv.loadDirectoryContents(r.Context(), dir.(fs.ReadDirFile), root, path.Clean(r.URL.EscapedPath()), repl)
 	switch {
 	case os.IsPermission(err):
 		return caddyhttp.Error(http.StatusForbidden, err)
author	Matt Holt <mholt@users.noreply.github.com>	2023-05-15 10:48:05 -0600
committer	GitHub <noreply@github.com>	2023-05-15 10:48:05 -0600
commit	52d7335c2b1b8424e8971a9b03f51a5f36583535 (patch)
tree	23ea631b9bece465b9cfa35367099fe373b6afdd /modules/caddyhttp/fileserver/browse.go
parent	96919acc9d583ef11ea1f9c72a9991fb3f8aab9f (diff)