Change syntax for routes with filename

Previously, the filename was URL-encoded, thus each / was replaced with %2F. This caused issues with some Apache2 configuration, smartly mingling with the URL to either encode it a second time (resulting in %252F) or decoding it (generating a real /). However, for authenticated file downloads with the JWT, we hardly require a byte-by-byte matching. With these changes, the URL parameter is no longer URL-encoded, so that Apache2 won't break our implementation any longer. Further, we use this opportunity to get rid of the unnecessary .json extension for those filename routes, simplifying the routes generated and doing some further cleanup.
2023-12-19 09:36:15 +01:00
parent 65212c4b4b
commit 17dd8b1267
9 changed files with 64 additions and 96 deletions
--- a/app/controllers/live_streams_controller.rb
+++ b/app/controllers/live_streams_controller.rb
@ -22,7 +22,7 @@ class LiveStreamsController < ApplicationController

  def download_arbitrary_file
    @execution_environment = authorize ExecutionEnvironment.find(params[:id])
-    desired_file = params[:filename].to_s
+    desired_file = "/#{params[:filename]}" # The filename given is absolute; this is an admin-only action.
    runner = Runner.for(current_user, @execution_environment)
    fallback_location = shell_execution_environment_path(@execution_environment)
    privileged = params[:sudo] || @execution_environment.privileged_execution?