Escape mailbox names in URLs

Closes: https://todo.sr.ht/~sircmpwn/koushin/14
author: Simon Ser <contact@emersion.fr> 2019-12-03 17:31:53 +0100
committer: Simon Ser <contact@emersion.fr> 2019-12-03 17:31:53 +0100
commit: a4729060bedd45481726861c491d5061e90ffefa (patch)
tree: d9ee85915912c2186162e5ae737f89d3a5751549
parent: 48d6d5d227a4d55d80f9f2a74c1242cafafab7ab (diff)
download: alps-a4729060bedd45481726861c491d5061e90ffefa.tar.gz
alps-a4729060bedd45481726861c491d5061e90ffefa.zip
4 files changed, 17 insertions, 5 deletions
diff --git a/public/mailbox.html b/public/mailbox.html
index 303bdb4..d8c7209 100644
--- a/public/mailbox.html
+++ b/public/mailbox.html
@@ -11,14 +11,14 @@
 <p>Mailboxes:</p>
 <ul>
 	{{range .Mailboxes}}
-		<li><a href="/mailbox/{{.Name}}">{{.Name}}</a></li>
+		<li><a href="/mailbox/{{.Name | pathescape}}">{{.Name}}</a></li>
 	{{end}}
 </ul>
 
 <p>Messages:</p>
 <ul>
 	{{range .Messages}}
-		<li><a href="/message/{{$.Mailbox.Name}}/{{.Uid}}?part={{.TextPartName}}">
+		<li><a href="/message/{{$.Mailbox.Name | pathescape}}/{{.Uid}}?part={{.TextPartName}}">
 			{{.Envelope.Subject}}
 		</a></li>
 	{{end}}
diff --git a/public/message.html b/public/message.html
index cb9518b..fc97bf4 100644
--- a/public/message.html
+++ b/public/message.html
@@ -3,7 +3,7 @@
 <h1>koushin</h1>
 
 <p>
-	<a href="/mailbox/{{.Mailbox.Name}}">Back</a>
+	<a href="/mailbox/{{.Mailbox.Name | pathescape}}">Back</a>
 </p>
 
 <h2>{{.Message.Envelope.Subject}}</h2>
diff --git a/server.go b/server.go
index 6dd7246..3f521e7 100644
--- a/server.go
+++ b/server.go
@@ -142,7 +142,10 @@ func handleLogin(ectx echo.Context) error {
 }
 
 func handleGetPart(ctx *context, raw bool) error {
-	mboxName := ctx.Param("mbox")
+	mboxName, err := url.PathUnescape(ctx.Param("mbox"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err)
+	}
 	uid, err := parseUid(ctx.Param("uid"))
 	if err != nil {
 		return echo.NewHTTPError(http.StatusBadRequest, err)
@@ -312,6 +315,11 @@ func New(imapURL, smtpURL string) *echo.Echo {
 	e.GET("/mailbox/:mbox", func(ectx echo.Context) error {
 		ctx := ectx.(*context)
 
+		mboxName, err := url.PathUnescape(ctx.Param("mbox"))
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, err)
+		}
+
 		var mailboxes []*imap.MailboxInfo
 		var msgs []imapMessage
 		var mbox *imap.MailboxStatus
@@ -320,7 +328,7 @@ func New(imapURL, smtpURL string) *echo.Echo {
 			if mailboxes, err = listMailboxes(c); err != nil {
 				return err
 			}
-			if msgs, err = listMessages(c, ctx.Param("mbox")); err != nil {
+			if msgs, err = listMessages(c, mboxName); err != nil {
 				return err
 			}
 			mbox = c.Mailbox()
diff --git a/template.go b/template.go
index 5d0d28b..2581da0 100644
--- a/template.go
+++ b/template.go
@@ -3,6 +3,7 @@ package koushin
 import (
 	"html/template"
 	"io"
+	"net/url"
 
 	"github.com/labstack/echo/v4"
 )
@@ -20,6 +21,9 @@ func loadTemplates() (*tmpl, error) {
 		"tuple": func(values ...interface{}) []interface{} {
 			return values
 		},
+		"pathescape": func(s string) string {
+			return url.PathEscape(s)
+		},
 	}).ParseGlob("public/*.html")
 	return &tmpl{t}, err
 }
author	Simon Ser <contact@emersion.fr>	2019-12-03 17:31:53 +0100
committer	Simon Ser <contact@emersion.fr>	2019-12-03 17:31:53 +0100
commit	a4729060bedd45481726861c491d5061e90ffefa (patch)
tree	d9ee85915912c2186162e5ae737f89d3a5751549
parent	48d6d5d227a4d55d80f9f2a74c1242cafafab7ab (diff)
download	alps-a4729060bedd45481726861c491d5061e90ffefa.tar.gz alps-a4729060bedd45481726861c491d5061e90ffefa.zip