From ffce1d85dfe420e1a39a4aa7393ec4bce68926f3 Mon Sep 17 00:00:00 2001
From: gammazero <11790789+gammazero@users.noreply.github.com>
Date: Tue, 7 Jan 2025 20:15:38 -1000
Subject: [PATCH] re-escape urls to avoid mixed-case hex from input url

---
 gateway/handler_codec.go      | 5 +++++
 gateway/handler_unixfs_dir.go | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/gateway/handler_codec.go b/gateway/handler_codec.go
index f18bba3e2..567d271d5 100644
--- a/gateway/handler_codec.go
+++ b/gateway/handler_codec.go
@@ -172,6 +172,11 @@ func (i *handler) serveCodecHTML(ctx context.Context, w http.ResponseWriter, r *
 		if r.URL.RawQuery != "" {
 			suffix = suffix + "?" + url.PathEscape(r.URL.RawQuery)
 		}
+		// Re-escape path instead of reusing RawPath to avod mix of lawer
+		// and upper hex that may come from RawPath.
+		if strings.IndexRune(requestURI.RawPath, '%') != -1 {
+			requestURI.RawPath = ""
+		}
 		// /ipfs/cid/foo?bar must be redirected to /ipfs/cid/foo/?bar
 		redirectURL := requestURI.EscapedPath() + suffix
 		http.Redirect(w, r, redirectURL, http.StatusMovedPermanently)
diff --git a/gateway/handler_unixfs_dir.go b/gateway/handler_unixfs_dir.go
index 04771e3ca..26713ac1c 100644
--- a/gateway/handler_unixfs_dir.go
+++ b/gateway/handler_unixfs_dir.go
@@ -49,9 +49,15 @@ func (i *handler) serveDirectory(ctx context.Context, w http.ResponseWriter, r *
 			if r.URL.RawQuery != "" {
 				suffix = suffix + "?" + url.PathEscape(r.URL.RawQuery)
 			}
+			// Re-escape path instead of reusing RawPath to avod mix of lawer
+			// and upper hex that may come from RawPath.
+			if strings.IndexRune(requestURI.RawPath, '%') != -1 {
+				requestURI.RawPath = ""
+			}
 			// /ipfs/cid/foo?bar must be redirected to /ipfs/cid/foo/?bar
 			redirectURL := requestURI.EscapedPath() + suffix
 			rq.logger.Debugw("directory location moved permanently", "status", http.StatusMovedPermanently)
+
 			http.Redirect(w, r, redirectURL, http.StatusMovedPermanently)
 			return true
 		}