sigoden/dufs
1
0
Fork 0
mirror of https://github.com/sigoden/dufs.git synced 2026-04-08 16:49:02 +03:00
Code Issues 8 Packages Projects Releases 10 Wiki Activity

[GH-ISSUE #63] Not Found when file name contains HTML escape code #26

New Issue
Closed
opened 2026-04-08 16:49:52 +03:00 by zhus · 0 comments
zhus commented 2026-04-08 16:49:52 +03:00
Owner
Copy Link

Originally created by @KSXGitHub on GitHub (Jun 21, 2022).
Original GitHub issue: https://github.com/sigoden/dufs/issues/63

Steps to reproduce

  1. Create a file whose name contains an HTML escape code: 
    echo hello > 'abc&def.txt'
  2. Run dufs to serve the folder that contains the created file.
  3. Open https://localhost:5000/ in Google Chrome.
  4. The file with name abc&def.txt is nowhere to be found. Instead, there is abc&def.txt. Click the file.

Expected behavior

  • After step 3, the file with name abc&def.txt should appear.
  • After clicking abc&def.txt, the text hello should appear.

Actual behavior

  • The file with the correct name does not appear.
  • The file with the incorrect predictably leads to Not Found.

Notes

Using Nautilus to access the file via WebDAV (dav://localhost:5000/) works fine.

Additional suggestions

This flaw is probably caused by text being inserted directly to the constructed HTML page without escape, sanitization, or any form of text processing. This is dangerous as it could lead to some form of code injection attack. I am not just referring to this one bug, I am referring to other potential bugs that are similar to this.

Request:

  • Examine the whole codebase to find similar bugs.
  • Use a proven library/framework to generate the directory page instead of doing it manually. For example, miniserve (a similar program to dufs) uses maud to generate its directory page.
Originally created by @KSXGitHub on GitHub (Jun 21, 2022). Original GitHub issue: https://github.com/sigoden/dufs/issues/63 ## Steps to reproduce 1. Create a file whose name contains an HTML escape code: ```sh echo hello > 'abc&def.txt' ``` 2. Run `dufs` to serve the folder that contains the created file. 3. Open `https://localhost:5000/` in Google Chrome. 4. The file with name `abc&def.txt` is nowhere to be found. Instead, there is `abc&def.txt`. Click the file. ## Expected behavior * After step 3, the file with name `abc&def.txt` should appear. * After clicking `abc&def.txt`, the text `hello` should appear. ## Actual behavior * The file with the correct name does not appear. * The file with the incorrect predictably leads to `Not Found`. ## Notes Using Nautilus to access the file via WebDAV (`dav://localhost:5000/`) works fine. ## Additional suggestions This flaw is probably caused by text being inserted directly to the constructed HTML page without escape, sanitization, or any form of text processing. This is dangerous as it could lead to some form of code injection attack. I am not just referring to this one bug, I am referring to other potential bugs that are similar to this. **Request:** * Examine the whole codebase to find similar bugs. * Use a proven library/framework to generate the directory page instead of doing it manually. For example, [miniserve](https://github.com/svenstaro/miniserve) (a similar program to `dufs`) uses [maud](https://github.com/lambda-fairy/maud) to generate its directory page.
zhus closed this issue 2026-04-08 16:49:52 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
zhus
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sigoden/dufs#26
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?