From 473c1de024941a1a85844f35f9480e9ac7758b58 Mon Sep 17 00:00:00 2001
From: Adrian Perez de Castro <aperez@igalia.com>
Date: Wed, 15 Aug 2018 14:27:56 +0200
Subject: [PATCH] Properly encode filenames as URI components

Fixes #95
---
 ngx_http_fancyindex_module.c | 24 ++++++++++++++++--------
 t/bug95-square-brackets.test | 19 +++++++++++++++++++
 2 files changed, 35 insertions(+), 8 deletions(-)
 create mode 100644 t/bug95-square-brackets.test

diff --git a/ngx_http_fancyindex_module.c b/ngx_http_fancyindex_module.c
index 64f98a1..8d175e9 100644
--- a/ngx_http_fancyindex_module.c
+++ b/ngx_http_fancyindex_module.c
@@ -258,7 +258,7 @@ static char *ngx_http_fancyindex_ignore(ngx_conf_t    *cf,
                                         void          *conf);
 
 static uintptr_t
-    ngx_fancyindex_escape_uri(u_char *dst, u_char*src, size_t size);
+    ngx_fancyindex_escape_filename(u_char *dst, u_char*src, size_t size);
 
 /*
  * These are used only once per handler invocation. We can tell GCC to
@@ -410,8 +410,15 @@ static const ngx_str_t css_href_post =
     ngx_string("\" type=\"text/css\"/>\n");
 
 
+#ifdef NGX_ESCAPE_URI_COMPONENT
+static inline uintptr_t
+ngx_fancyindex_escape_filename(u_char *dst, u_char *src, size_t size)
+{
+    return ngx_escape_uri(dst, src, size, NGX_ESCAPE_URI_COMPONENT);
+}
+#else /* !NGX_ESCAPE_URI_COMPONENT */
 static uintptr_t
-ngx_fancyindex_escape_uri(u_char *dst, u_char *src, size_t size)
+ngx_fancyindex_escape_filename(u_char *dst, u_char *src, size_t size)
 {
     /*
      * The ngx_escape_uri() function will not escape colons or the
@@ -483,6 +490,7 @@ ngx_fancyindex_escape_uri(u_char *dst, u_char *src, size_t size)
         return escapes + uescapes;
     }
 }
+#endif /* NGX_ESCAPE_URI_COMPONENT */
 
 
 static ngx_inline ngx_buf_t*
@@ -716,9 +724,9 @@ make_content_buf(
             return ngx_http_fancyindex_error(r, &dir, &path);
 
         ngx_cpystrn(entry->name.data, ngx_de_name(&dir), len + 1);
-        entry->escape = 2 * ngx_fancyindex_escape_uri(NULL,
-                                                      ngx_de_name(&dir),
-                                                      len);
+        entry->escape = 2 * ngx_fancyindex_escape_filename(NULL,
+                                                           ngx_de_name(&dir),
+                                                           len);
 
         entry->dir     = ngx_de_is_dir(&dir);
         entry->mtime   = ngx_de_mtime(&dir);
@@ -922,9 +930,9 @@ make_content_buf(
         b->last = ngx_cpymem_ssz(b->last, "<tr><td class=\"link\"><a href=\"");
 
         if (entry[i].escape) {
-            ngx_fancyindex_escape_uri(b->last,
-                                      entry[i].name.data,
-                                      entry[i].name.len);
+            ngx_fancyindex_escape_filename(b->last,
+                                           entry[i].name.data,
+                                           entry[i].name.len);
 
             b->last += entry[i].name.len + entry[i].escape;
 
diff --git a/t/bug95-square-brackets.test b/t/bug95-square-brackets.test
new file mode 100644
index 0000000..16e1ddc
--- /dev/null
+++ b/t/bug95-square-brackets.test
@@ -0,0 +1,19 @@
+#! /bin/bash
+cat <<---
+Bug #95: FancyIndex does not encode square brackets
+https://github.com/aperezdc/ngx-fancyindex/issues/95
+--
+use pup
+
+# Prepare a directory with a file that contains square brackets in the name.
+mkdir -p "${TESTDIR}/bug95"
+touch "${TESTDIR}"/bug95/'bug[95].txt'
+
+nginx_start
+content=$(fetch /bug95/)
+test -n "${content}" || fail 'Empty response'
+
+expected_href='bug%5B95%5D.txt'
+obtained_href=$(pup -p body tbody 'tr:nth-child(2)' a 'attr{href}' <<< "${content}")
+test "${expected_href}" = "${obtained_href}" || \
+	fail 'Expected: %s - Obtained: %s' "${expected_href}" "${obtained_href}"