From 84efe279bb5fd5cce3f1d042b3aac412376fda1b Mon Sep 17 00:00:00 2001 From: sfan5 Date: Wed, 1 Dec 2021 21:11:32 +0100 Subject: Fix URL escaping in content store --- builtin/mainmenu/dlg_contentstore.lua | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) (limited to 'builtin/mainmenu') diff --git a/builtin/mainmenu/dlg_contentstore.lua b/builtin/mainmenu/dlg_contentstore.lua index 58421ef75..9db67cf57 100644 --- a/builtin/mainmenu/dlg_contentstore.lua +++ b/builtin/mainmenu/dlg_contentstore.lua @@ -62,9 +62,19 @@ local REASON_UPDATE = "update" local REASON_DEPENDENCY = "dependency" +-- encodes for use as URL parameter or path component +local function urlencode(str) + return str:gsub("[^%a%d()._~-]", function(char) + return string.format("%%%02X", string.byte(char)) + end) +end +assert(urlencode("sample text?") == "sample%20text%3F") + + local function get_download_url(package, reason) local base_url = core.settings:get("contentdb_url") - local ret = base_url .. ("/packages/%s/%s/releases/%d/download/"):format(package.author, package.name, package.release) + local ret = base_url .. ("/packages/%s/releases/%d/download/"):format( + package.url_part, package.release) if reason then ret = ret .. "?reason=" .. reason end @@ -199,7 +209,7 @@ local function get_raw_dependencies(package) local url_fmt = "/api/packages/%s/dependencies/?only_hard=1&protocol_version=%s&engine_version=%s" local version = core.get_version() local base_url = core.settings:get("contentdb_url") - local url = base_url .. url_fmt:format(package.id, core.get_max_supp_proto(), version.string) + local url = base_url .. url_fmt:format(package.url_part, core.get_max_supp_proto(), urlencode(version.string)) local response = http.fetch_sync({ url = url }) if not response.succeeded then @@ -574,17 +584,16 @@ function store.load() local base_url = core.settings:get("contentdb_url") local url = base_url .. "/api/packages/?type=mod&type=game&type=txp&protocol_version=" .. - core.get_max_supp_proto() .. "&engine_version=" .. version.string + core.get_max_supp_proto() .. "&engine_version=" .. urlencode(version.string) for _, item in pairs(core.settings:get("contentdb_flag_blacklist"):split(",")) do item = item:trim() if item ~= "" then - url = url .. "&hide=" .. item + url = url .. "&hide=" .. urlencode(item) end end - local timeout = tonumber(core.settings:get("curl_file_download_timeout")) - local response = http.fetch_sync({ url = url, timeout = timeout }) + local response = http.fetch_sync({ url = url }) if not response.succeeded then return end @@ -594,12 +603,16 @@ function store.load() for _, package in pairs(store.packages_full) do local name_len = #package.name + -- This must match what store.update_paths() does! + package.id = package.author:lower() .. "/" if package.type == "game" and name_len > 5 and package.name:sub(name_len - 4) == "_game" then - package.id = package.author:lower() .. "/" .. package.name:sub(1, name_len - 5) + package.id = package.id .. package.name:sub(1, name_len - 5) else - package.id = package.author:lower() .. "/" .. package.name + package.id = package.id .. package.name end + package.url_part = urlencode(package.author) .. "/" .. urlencode(package.name) + if package.aliases then for _, alias in ipairs(package.aliases) do -- We currently don't support name changing @@ -1013,9 +1026,9 @@ function store.handle_submit(this, fields) end if fields["view_" .. i] then - local url = ("%s/packages/%s/%s?protocol_version=%d"):format( - core.settings:get("contentdb_url"), - package.author, package.name, core.get_max_supp_proto()) + local url = ("%s/packages/%s?protocol_version=%d"):format( + core.settings:get("contentdb_url"), package.url_part, + core.get_max_supp_proto()) core.open_url(url) return true end -- cgit v1.2.3