fix: resolve 404/500 error when downloading files containing hash in filename#15799
Merged
paulpopus merged 5 commits intoApr 2, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes REST file downloads returning 404 when filenames contain # by ensuring Next.js-decoded catch-all slug segments are re-encoded before route matching.
Changes:
- Re-encode each
[...slug]segment withencodeURIComponentbefore joining into the REST handler path - Add an integration test covering uploads/downloads where the stored filename contains
#
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| test/uploads/int.spec.ts | Adds an integration test asserting files with # in the filename can be fetched via the REST file endpoint |
| packages/next/src/routes/rest/index.ts | Re-encodes decoded slug segments so path-to-regexp endpoint matching works with #/? in filenames |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
Alternative solution in #15823 |
paulpopus
approved these changes
Apr 2, 2026
Contributor
|
🚀 This is included in version v3.82.0 |
milamer
pushed a commit
to milamer/payload
that referenced
this pull request
Apr 20, 2026
…filename (payloadcms#15799) ### What? Fixes file downloads returning 404 for filenames containing `#` when served through the REST API. ### Why? Next.js catch-all `[...slug]` params decodes URL-encoded segments before passing them for further handling. So a request for `/api/media/file/document%20%23123.pdf` arrives with slug segments `['media', 'file', 'document payloadcms#123.pdf']`. These decoded segments are joined and passed to handleEndpoints, but the implementation of handleEndpoints is using `path-to-regexp` with a configuration that expectes urlencoded path segments. ### How? Re-encode each slug segment with `encodeURIComponent` before joining: handleEndpoints already uses match(endpoint.path, { decode: decodeURIComponent }), so params are decoded back to their original values after matching Also adds a test that creates a file with # in the filename and verifies it can be served via REST. Fixes payloadcms#15798 --------- Co-authored-by: Paul Popus <paul@payloadcms.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
Fixes file downloads returning 404 for filenames containing
#when served through the REST API.Why?
Next.js catch-all
[...slug]params decodes URL-encoded segments before passing them for further handling. So a request for/api/media/file/document%20%23123.pdfarrives with slug segments['media', 'file', 'document #123.pdf'].These decoded segments are joined and passed to handleEndpoints, but the implementation of handleEndpoints is using
path-to-regexpwith a configuration that expectes urlencoded path segments.How?
Re-encode each slug segment with
encodeURIComponentbefore joining:handleEndpoints already uses match(endpoint.path, { decode: decodeURIComponent }), so params are decoded back to their original values after matching
Also adds a test that creates a file with # in the filename and verifies it can be served via REST.
Fixes #15798