From 9f3b740ca92020d7ae98c007ddf89a20ab90c5af Mon Sep 17 00:00:00 2001
From: Eu Pin Tien <eu-pin.tien@diamond.ac.uk>
Date: Tue, 21 Jan 2025 16:27:33 +0000
Subject: [PATCH 1/2] Fixed incorrect sanitisation of URLs for package
 installation requests

---
 src/murfey/server/api/bootstrap.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/murfey/server/api/bootstrap.py b/src/murfey/server/api/bootstrap.py
index 3b8e5edfb..b9d711248 100644
--- a/src/murfey/server/api/bootstrap.py
+++ b/src/murfey/server/api/bootstrap.py
@@ -228,15 +228,16 @@ def parse_cygwin_request(request_path: str):
     """
 
     # Validate request path
-    if bool(re.fullmatch(r"^[\w\s\.\-/]+$", request_path)) is False:
+    if bool(re.fullmatch(r"^[\w\s\.\-\+/]+$", request_path)) is False:
         raise ValueError(f"{request_path!r} is not a valid request path")
 
     try:
-        url = f'{find_cygwin_mirror()}{quote(request_path, safe="")}'
+        url = f'{find_cygwin_mirror()}{quote(request_path, safe="/")}'
     except Exception:
         raise HTTPException(
             status_code=503, detail="Could not identify a suitable Cygwin mirror"
         )
+
     logger.info(f"Forwarding Cygwin download request to {_sanitise_str(url)}")
     cygwin_data = requests.get(url)
     return Response(
@@ -434,7 +435,7 @@ def _rewrite_url(match):
         raise ValueError(f"{system!r} is not a valid msys2 environment")
 
     # Construct URL to main MSYS repo and get response
-    arch_url = f'{msys2_url}/{quote(system, safe="")}'
+    arch_url = f'{msys2_url}/{quote(system, safe="/")}'
     response = requests.get(arch_url)
 
     # Parse and rewrite package index content
@@ -497,7 +498,7 @@ def _rewrite_url(match):
 
     # Construct URL to main MSYS repo and get response
     package_list_url = (
-        f'{msys2_url}/{quote(system, safe="")}/{quote(environment, safe="")}'
+        f'{msys2_url}/{quote(system, safe="")}/{quote(environment, safe="/")}'
     )
     response = requests.get(package_list_url)
 
@@ -581,7 +582,7 @@ def _get_full_pypi_path_response(package: str) -> requests.Response:
     # alphanumerics (including underscores; \w), dashes (\-), and periods (\.)
     if re.match(r"^[\w\-\.]+$", package) is not None:
         # Sanitise and normalise package name according to PEP 503
-        package_clean = quote(re.sub(r"[-_.]+", "-", package.lower()), safe="")
+        package_clean = quote(re.sub(r"[-_.]+", "-", package.lower()), safe="/")
 
         # Get HTTP response
         url = f"https://pypi.org/simple/{package_clean}"

From dc63cd0efe137d7900d9318ce0d013d7e59cd8bd Mon Sep 17 00:00:00 2001
From: Eu Pin Tien <eu-pin.tien@diamond.ac.uk>
Date: Tue, 21 Jan 2025 17:46:15 +0000
Subject: [PATCH 2/2] Missed applying the fix to a few 'quote()' instances

---
 src/murfey/server/api/bootstrap.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/murfey/server/api/bootstrap.py b/src/murfey/server/api/bootstrap.py
index b9d711248..067e59b0a 100644
--- a/src/murfey/server/api/bootstrap.py
+++ b/src/murfey/server/api/bootstrap.py
@@ -498,7 +498,7 @@ def _rewrite_url(match):
 
     # Construct URL to main MSYS repo and get response
     package_list_url = (
-        f'{msys2_url}/{quote(system, safe="")}/{quote(environment, safe="/")}'
+        f'{msys2_url}/{quote(system, safe="/")}/{quote(environment, safe="/")}'
     )
     response = requests.get(package_list_url)
 
@@ -552,7 +552,7 @@ def get_msys2_package_file(
         raise ValueError(f"{package!r} is not a valid package name")
 
     # Construct URL to main MSYS repo and get response
-    package_url = f'{msys2_url}/{quote(system, safe="")}/{quote(environment, safe="")}/{quote(package, safe="")}'
+    package_url = f'{msys2_url}/{quote(system, safe="/")}/{quote(environment, safe="/")}/{quote(package, safe="/")}'
     package_file = requests.get(package_url)
 
     if package_file.status_code == 200: