Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.pmtiles files can be any unicode char but aws/cloudflare only accept S3 safe characters #490

Open
bdon opened this issue Nov 2, 2024 · 0 comments
Open

.pmtiles files can be any unicode char but aws/cloudflare only accept S3 safe characters #490

bdon opened this issue Nov 2, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@bdon
Copy link
Member

bdon commented Nov 2, 2024
edited
Loading

In the AWS and Cloudflare proxy implementations we use a regex to parse the URL to a object storage key https://github.com/protomaps/PMTiles/blob/main/serverless/shared/index.ts#L8

This only allows S3-safelisted characters https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html

But this means that if I have a valid but non safe listed filename我的城市.pmtiles in s3, then I put the lambda proxy in front, it will not work, it will return 404.

We should accept any character in URLs but be careful to avoid path traversal attacks, etc.

This also affects go-pmtiles and thus the GCP and Azure implementations: https://github.com/protomaps/go-pmtiles/blob/main/pmtiles/server.go#L441
@bdon bdon added the bug Something isn't working label Nov 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bdon