Properly encode URLs and url parameters.

2020-06-08 20:37:57 +02:00
parent a2ce68cbf2
commit a465e4ddd3
4 changed files with 8 additions and 5 deletions
--- a/client/once.py
+++ b/client/once.py
@@ -5,6 +5,7 @@ Simple command to share one-time files
 import os
 import json
 import time
+import urllib

 import click
 import requests
@@ -47,7 +48,7 @@ def api_req(method: str, url: str, verbose: bool = False, **kwargs):
@click.option('--verbose', '-v', is_flag=True, default=False, help='Enables verbose output.')
 def share(file: click.File, verbose: bool):
    entry = api_req('GET', '/',
-        params={'f': os.path.basename(file.name)},
+        params={'f': urllib.parse.quote_plus(os.path.basename(file.name))},
        verbose=verbose).json()

    once_url = entry['once_url']
--- a/once/download-and-delete/handler.py
+++ b/once/download-and-delete/handler.py
@@ -3,6 +3,7 @@ import io
 import json
 import logging
 import re
+import urllib

 import boto3

@@ -49,7 +50,7 @@ def on_event(event, context):
    log.debug(f'Files bucket is "{FILES_BUCKET}"')

    entry_id = event['pathParameters']['entry_id']
-    filename = event['pathParameters']['filename']
+    filename = urllib.parse.unquote_plus(event['pathParameters']['filename'])
    object_name = f'{entry_id}/{filename}'

    dynamodb = boto3.client('dynamodb')
--- a/once/get-upload-ticket/handler.py
+++ b/once/get-upload-ticket/handler.py
@@ -6,8 +6,8 @@ import logging
 import os
 import random
 import string
+import urllib
 from typing import Dict
-from urllib.parse import quote_plus, urlencode

 import boto3
 import requests
@@ -61,7 +61,7 @@ def on_event(event, context):
    log.debug(f'Pre-signed urls will expire after {EXPIRATION_TIMEOUT} seconds')

    q = event.get('queryStringParameters', {})
-    filename = q.get('f')
+    filename = urllib.parse.unquote_plus(q.get('f'))
    response_code = 200
    response = {}
    try:
@@ -71,7 +71,7 @@ def on_event(event, context):
        domain = string.ascii_uppercase + string.ascii_lowercase + string.digits
        entry_id = ''.join(random.choice(domain) for _ in range(6))
        object_name = f'{entry_id}/{filename}'
-        response['once_url'] = f'{APP_URL}{entry_id}/{filename}'
+        response['once_url'] = f'{APP_URL}{entry_id}/{urllib.parse.quote(filename)}'

        dynamodb = boto3.client('dynamodb')
        dynamodb.put_item(
--- a/once/once_stack.py
+++ b/once/once_stack.py
@@ -35,6 +35,7 @@ class ApiGatewayV2Domain(object):
            'hostedZoneId': self.domain_name.get_att('RegionalHostedZoneId').to_string()
        }

+
 class CustomDomainStack(cfn.NestedStack):
    def __init__(self, scope: core.Construct, id: str,
        hosted_zone_id: str,