Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
None
-
None
Description
Originally reported at https://ezcommunity.slack.com/archives/C3YFR5ZM4/p1568819945024800
If you have uploaded a file with a name beginning with a left parenthesis ( character, trying to download it with the route:
ez_content_download: /content/download/{contentId}/{fieldIdentifier}/{filename}
...means the filename gets interpreted as a view parameter. So the router thinks there are only 4 parameters, and it will actually match the route:
ez_content_download_field_id: /content/download/{contentId}/{fieldId}
...which fails since the field identifier isn't a valid field id. This happens regardless of whether the filename is url encoded or not.
Steps to reproduce
- In the admin backend, create a Content of the File type
- Upload a file where the name begins with a (, such as (42) my filename.txt
- Try to download it using the link provided by the default backend templates
Result
- In Firefox, I get HTTP 404 File not found
- When I copy the URL and enter it in a new tab, it gets URL encoded. Now I get an InvalidArgumentException "Field with id file not found in Content with id 244" (Here "file" is the identifier of the File content type.)
Expected
The file should be downloaded.
Relevant code
Download routes: https://github.com/ezsystems/ezpublish-kernel/blob/3ba77f56baebcc6481fa5de44abffc9c10c1e5cb/eZ/Bundle/EzPublishCoreBundle/Resources/config/routing/internal.yml#L46
downloadBinaryFileAction: https://github.com/ezsystems/ezpublish-kernel/blob/7147fda4bd1418a8184a1993e060474e0aa11995/eZ/Publish/Core/MVC/Symfony/Controller/Content/DownloadController.php#L44
redirectToContentDownloadAction: https://github.com/ezsystems/ezpublish-kernel/blob/7147fda4bd1418a8184a1993e060474e0aa11995/eZ/Publish/Core/MVC/Symfony/Controller/Content/DownloadRedirectionController.php#L47
Possible solutions
- regexp qualifiers in the routes can ensure an id won't be interpreted as an identifier
may also allow parens to be read as textnope, does not work - custom encoding: base64?
- wash away bad chars: means downloaded file gets different name from uploaded one