Skip to content

.pmtiles files can be any unicode char but aws/cloudflare only accept S3 safe characters #490

New issue
New issue
Open
Open
.pmtiles files can be any unicode char but aws/cloudflare only accept S3 safe characters#490
Labels
bugSomething isn't working
@bdon

Description

@bdon
bdon
opened on Nov 2, 2024

In the AWS and Cloudflare proxy implementations we use a regex to parse the URL to a object storage key https://github.com/protomaps/PMTiles/blob/main/serverless/shared/index.ts#L8

This only allows S3-safelisted characters https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html

But this means that if I have a valid but non safe listed filename我的城市.pmtiles in s3, then I put the lambda proxy in front, it will not work, it will return 404.

We should accept any character in URLs but be careful to avoid path traversal attacks, etc.

This also affects go-pmtiles and thus the GCP and Azure implementations: https://github.com/protomaps/go-pmtiles/blob/main/pmtiles/server.go#L441

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions