Merge pull request #566 from rusq/i561

fix for filenames with tilda

Author: rusq

internal/viewer/handlers.go

@@ -145,8 +145,9 @@ func isHXRequest(r *http.Request) bool {
 	return r.Header.Get("HX-Request") == "true"
 }
 
-func isInvalid(path string) bool {
-	return strings.Contains(path, "..") || strings.Contains(path, "~") || strings.Contains(path, "/") || strings.Contains(path, "\\")
+// isInvalid returns true if the provided path component is not web-safe.
+func isInvalid(pcomp string) bool {
+	return strings.Contains(pcomp, "..") || strings.HasPrefix(pcomp, "~") || strings.Contains(pcomp, "/") || strings.Contains(pcomp, "\\")
 }
 
 func (v *Viewer) threadHandler(w http.ResponseWriter, r *http.Request, id string) {

internal/viewer/handlers_test.go

@@ -1 +1,25 @@
 package viewer
+
+import "testing"
+
+func Test_isInvalid(t *testing.T) {
+	type args struct {
+		path string
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{"relative path", args{"../test.txt"}, true},
+		{"home dir ref", args{"~/test.txt"}, true},
+		{"filename with tilda #561", args{"test~1.txt"}, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := isInvalid(tt.args.path); got != tt.want {
+				t.Errorf("isInvalid() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}