[PR #2691] [MERGED] Fix file names with URL control characters #3771

New Issue

2026-04-25T00:17:00+02:00

adam commented

2026-04-25 00:17:00 +02:00

📋 Pull Request Information

Original PR: https://github.com/advplyr/audiobookshelf/pull/2691
Author: @lkiesow
Created: 2/29/2024
Status: ✅ Merged
Merged: 3/12/2024
Merged by: @advplyr

Base: master ← Head: hash-in-filename

📝 Commits (1)

987842e Fix file names with URL control characters

📊 Changes

1 file changed (+4 additions, -1 deletions)

View changed files

📝 server/utils/fileUtils.js (+4 -1)

📄 Description

This patch ensures that files names like series #3 xy.jpg are actually handled correctly instead of the part after # being interpreted as fragment and being discarded.

I noticed that in a few rare cases the App wouldn't properly display cover images. It turns out that due the file names containing a #, the file path got corrupted, causing Audiobookshelf to return a 403.

To reproduce the issue (there are likely more ways):

Enable XAccel, e.g. by putting in the docker-compose.yml (even if you don't configure Nginx for this, you should still be able to confirm the issue):
```
  audiobookshelf:
    image: ghcr.io/advplyr/audiobookshelf:2.8.0
    environment:
      - USE_X_ACCEL=/protected
```
Upload a book with a path that includes a # like /data/audiobooks/Author/Series #1 - xy/cover.jpg
Go into the web interface and try downloading the file. This will not work, but copy the URL. It should be something like:
https://audiobook.example.com/api/items/87ee14eb-f2fc-412f-1213-69bf27ff3947/file/3954651/download?token=…`
On the host system, communicate with the container directly, sending an HTTP request for the file. If you don't have a reverse proxy, you can just use the original URL:
```
% curl -i 'http://127.0.0.1:8081/api/items/87ee14eb-f2fc-412f-1213-69bf27ff3947/file/3954651/download?token=…'
HTTP/1.1 204 No Content
X-Accel-Redirect: /protected/audiobooks/Author/Series%20
```
The redirect URL will end at the # character in the path. This will result in the file not being found.

The patch will fix the issue and the correct path will be returned.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/advplyr/audiobookshelf/pull/2691 **Author:** [@lkiesow](https://github.com/lkiesow) **Created:** 2/29/2024 **Status:** ✅ Merged **Merged:** 3/12/2024 **Merged by:** [@advplyr](https://github.com/advplyr) **Base:** `master` ← **Head:** `hash-in-filename` --- ### 📝 Commits (1) - [`987842e`](https://github.com/advplyr/audiobookshelf/commit/987842ed04e5a7e8025bdfc2ed576d9569eed8ec) Fix file names with URL control characters ### 📊 Changes **1 file changed** (+4 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `server/utils/fileUtils.js` (+4 -1) </details> ### 📄 Description This patch ensures that files names like `series #3 xy.jpg` are actually handled correctly instead of the part after `#` being interpreted as fragment and being discarded. I noticed that in a few rare cases the App wouldn't properly display cover images. It turns out that due the file names containing a `#`, the file path got corrupted, causing Audiobookshelf to return a 403. --- To reproduce the issue (there are likely more ways): 1. Enable XAccel, e.g. by putting in the `docker-compose.yml` (even if you don't configure Nginx for this, you should still be able to confirm the issue): ```yml audiobookshelf: image: ghcr.io/advplyr/audiobookshelf:2.8.0 environment: - USE_X_ACCEL=/protected ``` 2. Upload a book with a path that includes a `#` like `/data/audiobooks/Author/Series #1 - xy/cover.jpg` 3. Go into the web interface and try downloading the file. This will not work, but copy the URL. It should be something like: https://audiobook.example.com/api/items/87ee14eb-f2fc-412f-1213-69bf27ff3947/file/3954651/download?token=…` 4. On the host system, communicate with the container directly, sending an HTTP request for the file. If you don't have a reverse proxy, you can just use the original URL: ``` % curl -i 'http://127.0.0.1:8081/api/items/87ee14eb-f2fc-412f-1213-69bf27ff3947/file/3954651/download?token=…' HTTP/1.1 204 No Content X-Accel-Redirect: /protected/audiobooks/Author/Series%20 ``` The redirect URL will end at the `#` character in the path. This will result in the file not being found. The patch will fix the issue and the correct path will be returned. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2026-04-25 00:17:00 +02:00

adam closed this issue

2026-04-25 00:17:00 +02:00

adam referenced this issue

2026-04-25 00:18:13 +02:00

[PR #3771] [MERGED] Adds a configuration for podcast feed and episode download timeout #4076

Sign in to join this conversation.

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/audiobookshelf#3771