diff --git a/webdav/xml.go b/webdav/xml.go index fbd43cf220..8eda4b0a96 100644 --- a/webdav/xml.go +++ b/webdav/xml.go @@ -13,6 +13,7 @@ import ( "fmt" "io" "net/http" + "net/url" "time" // As of https://go-review.googlesource.com/#/c/12772/ which was submitted @@ -87,6 +88,10 @@ func writeLockInfo(w io.Writer, token string, ld LockDetails) (int, error) { depth = "0" } timeout := ld.Duration / time.Second + // PathEscape the root. Any URLs in this response body should match data on the wire + // meaning if a request came in escaped (which it should have), it should go out that + // way as well. + root := url.PathEscape(ld.Root) return fmt.Fprintf(w, "\n"+ "\n"+ " \n"+ @@ -97,7 +102,7 @@ func writeLockInfo(w io.Writer, token string, ld LockDetails) (int, error) { " %s\n"+ " %s\n"+ "", - depth, ld.OwnerXML, timeout, escape(token), escape(ld.Root), + depth, ld.OwnerXML, timeout, escape(token), escape(root), ) }