dontuse lossy decoding

actix-files/src/error.rs

@@ -33,6 +33,9 @@ pub enum UriSegmentError {
     /// The segment ended with the wrapped invalid character.
     #[display(fmt = "The segment ended with the wrapped invalid character")]
     BadEnd(char),
+    /// The path is not a valid UTF-8 string after doing percent decoding.
+    #[display(fmt = "The path is not a valif UTF-8 string after percent-decoding")]
+    NotValidUtf8,
 }
 
 /// Return `BadRequest` for `UriSegmentError`

actix-files/src/path_buf.rs

@@ -24,6 +24,10 @@ impl PathBufWrap {
     pub fn parse_path(path: &str, hidden_files: bool) -> Result<Self, UriSegmentError> {
         let mut buf = PathBuf::new();
 
+        let path = percent_encoding::percent_decode_str(path)
+            .decode_utf8()
+            .map_err(|_| UriSegmentError::NotValidUtf8)?;
+
         for segment in path.split('/') {
             if segment == ".." {
                 buf.pop();

actix-files/src/service.rs

@@ -77,13 +77,11 @@ impl Service<ServiceRequest> for FilesService {
             )));
         }
 
-        let path_decoded =
-            percent_encoding::percent_decode_str(req.match_info().path()).decode_utf8_lossy();
-
-        let real_path = match PathBufWrap::parse_path(&path_decoded, self.hidden_files) {
-            Ok(item) => item,
-            Err(e) => return Box::pin(ok(req.error_response(e))),
-        };
+        let real_path =
+            match PathBufWrap::parse_path(req.match_info().path(), self.hidden_files) {
+                Ok(item) => item,
+                Err(e) => return Box::pin(ok(req.error_response(e))),
+            };
 
         if let Some(filter) = &self.path_filter {
             if !filter(real_path.as_ref(), req.head()) {