Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image with $ sign in the name is broken in Enketo #438

Closed
sadiqkhoja opened this issue Jun 27, 2023 · 3 comments · Fixed by #443
Closed

Image with $ sign in the name is broken in Enketo #438

sadiqkhoja opened this issue Jun 27, 2023 · 3 comments · Fixed by #443
Labels
bug

Comments

@sadiqkhoja
Copy link
Contributor

Related to #433

If image contains $ sign in the name then Enketo doesn't preview it.
@sadiqkhoja
Copy link
Contributor Author

When I click on download icon on submission table, backend receives this request:

/v1/projects/473/forms/build_media_1556624635/submissions/uuid%3Abe2af264-615d-4658-afa5-385158ede558/attachments/%24dollar-8_45_1.jpg

However, URL in Enketo is /-/media/get/1/uuid:be2af264-615d-4658-afa5-385158ede558/%24dollar-8_45_1.jpg and it is not sending any request to backend.

@sadiqkhoja
Copy link
Contributor Author

I initially thought it was Enketo's issue and create this PR.. However, it is nginx which is decoding %24 into $.

Experiments:

With following config, backend receives $ instead of %24

location /- {
      proxy_pass http://127.0.0.1:3000/-;
      proxy_redirect off;
      proxy_set_header Host $host;
    }

If I remove /- from the proxy_pass then %24 is not decoded into $

the solution I came up with is

location /- {
      set $test http://127.0.0.1:3000/$request_uri;

      proxy_pass $test;
      proxy_redirect off;
      proxy_set_header Host $host;
    }

however, I don’t know the security implications of this.
https://trac.nginx.org/nginx/ticket/727 says that use $request_uri with care

I had opened an issue in Nginx issue tracker https://trac.nginx.org/nginx/ticket/2506. They say it is by design

@matthew-white
Copy link
Member

However, it is nginx which is decoding %24 into $.

With following config, backend receives $ instead of %24

I'm pretty sure that Backend should be able to handle either $ or %24. Frontend calls encodeURIComponent(), which does encode $. Backend is happy to receive that encoded value, but it should also accept $ unencoded. For example, app user tokens in the URL can contain $, but we don't encode app user tokens in the URL. To test that Backend accepts $ unencoded, you can copy the download link from the submissions table and replace %24 with $. The link should still work.

However, URL in Enketo is /-/media/get/1/uuid:be2af264-615d-4658-afa5-385158ede558/%24dollar-8_45_1.jpg and it is not sending any request to backend.

If Enketo isn't sending a request at all, that still sounds like an Enketo issue to me. Do you happen to have a repro on a server handy? Are any requests to the Enketo server failing?

sadiqkhoja added a commit that referenced this issue Jun 30, 2023
@sadiqkhoja
fixes #438: if URI is given in proxy_pass then nginx decodes and re-e…
a8e24a0 
…ncodes path

which breaks submission attachment with special characters in webform
more details: https://trac.nginx.org/nginx/ticket/2506
@sadiqkhoja sadiqkhoja mentioned this issue Jun 30, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixes #438 getodk/central
2 participants
@sadiqkhoja @matthew-white