Escape mailbox names in URLs

Closes: https://todo.sr.ht/~sircmpwn/koushin/14
2019-12-03 17:31:53 +01:00 · 2019-12-03 17:31:53 +01:00 · a4729060be
commit a4729060be
parent 48d6d5d227
4 changed files with 17 additions and 5 deletions
--- a/public/mailbox.html
+++ b/public/mailbox.html
@ -11,14 +11,14 @@
 <p>Mailboxes:</p>
 <ul>
 	{{range .Mailboxes}}
-		<li><a href="/mailbox/{{.Name}}">{{.Name}}</a></li>
+		<li><a href="/mailbox/{{.Name | pathescape}}">{{.Name}}</a></li>
 	{{end}}
 </ul>

 <p>Messages:</p>
 <ul>
 	{{range .Messages}}
-		<li><a href="/message/{{$.Mailbox.Name}}/{{.Uid}}?part={{.TextPartName}}">
+		<li><a href="/message/{{$.Mailbox.Name | pathescape}}/{{.Uid}}?part={{.TextPartName}}">
 			{{.Envelope.Subject}}
 		</a></li>
 	{{end}}
--- a/public/message.html
+++ b/public/message.html
@ -3,7 +3,7 @@
 <h1>koushin</h1>

 <p>
-	<a href="/mailbox/{{.Mailbox.Name}}">Back</a>
+	<a href="/mailbox/{{.Mailbox.Name | pathescape}}">Back</a>
 </p>

 <h2>{{.Message.Envelope.Subject}}</h2>
--- a/server.go
+++ b/server.go
@ -142,7 +142,10 @@ func handleLogin(ectx echo.Context) error {
 }

 func handleGetPart(ctx *context, raw bool) error {
-	mboxName := ctx.Param("mbox")
+	mboxName, err := url.PathUnescape(ctx.Param("mbox"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err)
+	}
 	uid, err := parseUid(ctx.Param("uid"))
 	if err != nil {
 		return echo.NewHTTPError(http.StatusBadRequest, err)
@ -312,6 +315,11 @@ func New(imapURL, smtpURL string) *echo.Echo {
 	e.GET("/mailbox/:mbox", func(ectx echo.Context) error {
 		ctx := ectx.(*context)

+		mboxName, err := url.PathUnescape(ctx.Param("mbox"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, err)
+		}
+
 		var mailboxes []*imap.MailboxInfo
 		var msgs []imapMessage
 		var mbox *imap.MailboxStatus
@ -320,7 +328,7 @@ func New(imapURL, smtpURL string) *echo.Echo {
 			if mailboxes, err = listMailboxes(c); err != nil {
 				return err
 			}
-			if msgs, err = listMessages(c, ctx.Param("mbox")); err != nil {
+			if msgs, err = listMessages(c, mboxName); err != nil {
 				return err
 			}
 			mbox = c.Mailbox()
--- a/template.go
+++ b/template.go
@ -3,6 +3,7 @@ package koushin
 import (
 	"html/template"
 	"io"
+	"net/url"

 	"github.com/labstack/echo/v4"
 )
@ -20,6 +21,9 @@ func loadTemplates() (*tmpl, error) {
 		"tuple": func(values ...interface{}) []interface{} {
 			return values
 		},
+		"pathescape": func(s string) string {
+			return url.PathEscape(s)
+		},
 	}).ParseGlob("public/*.html")
 	return &tmpl{t}, err
 }