dev: POSIX filesystem safeguards, character escaping in URL paths #1759

danielweck · 2022-02-01T16:05:00Z

danielweck
Feb 1, 2022
Maintainer

Potential problem: new URL(PATH, 'file:') vs pathToFileURL(PATH)

See:
https://nodejs.org/api/url.html#urlpathtofileurlpath

...BUT! Potential cascading problem: in the Thorium codebase URLs path segments are sometimes unwrapped by simply removing the file:// prefix, which can yield non-escaped filesystem names! (so, must think carefully before changing currently-functioning code).

Relevant code references:

thorium-reader/src/renderer/library/components/catalog/AboutThoriumButton.tsx

Line 147 in 68853e6

"file://" + folderPath.replace(/\\/g, "/"));

thorium-reader/src/main/redux/sagas/api/publication/packager/packageLink.ts

Line 118 in 68853e6

const baseUrlLocal = baseUrl.slice("file://".length);

thorium-reader/src/main/redux/sagas/api/publication/import/importFromString.ts

Lines 19 to 24 in 68853e6

    
           export function* importFromStringService( 
        
               manifest: string, 
        
               baseFileUrl: string, // MUST be file:// 
        
           ): SagaGenerator<[publicationDoc: PublicationDocument, alreadyImported: boolean]> { 
        
               // const baseUrl = baseFileUrl.startsWith("file://") ? baseFileUrl : ("file://" + baseFileUrl.replace(/\\/g, "/"));

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dev: POSIX filesystem safeguards, character escaping in URL paths #1759

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

dev: POSIX filesystem safeguards, character escaping in URL paths #1759

danielweck Feb 1, 2022 Maintainer

Replies: 0 comments

danielweck
Feb 1, 2022
Maintainer