tangled.org / core
Monorepo for Tangled tangled.org
fork atom

knotserver: allow downloading archives of refs with slashes in their names

This allows us to be more precise when downloading e.g. tags that have the
same name as branches (in which case Git defaults to the branch, not sure
what go-git does).

Signed-off-by: Winter <winter@winter.cafe>

authored by winter.bsky.social and committed by Tangled 9ff4785b fdcd5495

options
unified split
Changed files
+11 -3
knotserver
routes.go
+11 -3
knotserver/routes.go
··· 361 361 362 362 ref := strings.TrimSuffix(file, ".tar.gz") 363 363 364 + unescapedRef, err := url.PathUnescape(ref) 365 + if err != nil { 366 + notFound(w) 367 + return 368 + } 369 + 370 + safeRefFilename := strings.ReplaceAll(plumbing.ReferenceName(unescapedRef).Short(), "/", "-") 371 + 364 372 // This allows the browser to use a proper name for the file when 365 373 // downloading 366 - filename := fmt.Sprintf("%s-%s.tar.gz", name, ref) 374 + filename := fmt.Sprintf("%s-%s.tar.gz", name, safeRefFilename) 367 375 setContentDisposition(w, filename) 368 376 setGZipMIME(w) 369 377 370 378 path, _ := securejoin.SecureJoin(h.c.Repo.ScanPath, didPath(r)) 371 - gr, err := git.Open(path, ref) 379 + gr, err := git.Open(path, unescapedRef) 372 380 if err != nil { 373 381 notFound(w) 374 382 return ··· 377 385 gw := gzip.NewWriter(w) 378 386 defer gw.Close() 379 387 380 - prefix := fmt.Sprintf("%s-%s", name, ref) 388 + prefix := fmt.Sprintf("%s-%s", name, safeRefFilename) 381 389 err = gr.WriteTar(gw, prefix) 382 390 if err != nil { 383 391 // once we start writing to the body we can't report error anymore