biigle · yannik131 · May 20, 2026 · May 21, 2026 · May 21, 2026 · May 22, 2026
diff --git a/app/Http/Controllers/Api/Volumes/Filters/FilenameController.php b/app/Http/Controllers/Api/Volumes/Filters/FilenameController.php
@@ -30,6 +30,10 @@ public function index($id, $pattern)
         $volume = Volume::findOrFail($id);
         $this->authorize('access', $volume);
 
+        // Decode percent-encoded characters, example:
+        // Frontend turns / into %2F, we turn it back to /
+        $pattern = rawurldecode($pattern);
+
         // Escape trailing backslashes, else there would be an error with ilike.
         $pattern = preg_replace('/\\\\$/', '\\\\\\\\', $pattern);
 

diff --git a/resources/assets/js/volumes/cloneForm.vue b/resources/assets/js/volumes/cloneForm.vue
@@ -99,7 +99,7 @@ export default {
             let promise1 = VolumeApi.queryFilenames({id: this.id});
             let promise2 = VolumeApi.queryFilesWithFilename({
                 id: this.id,
-                pattern: this.filePattern
+                pattern: encodeURIComponent(this.filePattern)
             });
 
             Promise.all([promise1, promise2])

diff --git a/resources/assets/js/volumes/stores/filters.js b/resources/assets/js/volumes/stores/filters.js
@@ -205,7 +205,7 @@ let filenameFilter = {
     getSequence(volumeId, pattern) {
         return VolumesApi.queryFilesWithFilename({
             id: volumeId,
-            pattern: pattern,
+            pattern: encodeURIComponent(pattern),
         });
     },
 };

diff --git a/routes/api.php b/routes/api.php
@@ -432,7 +432,7 @@
 
     $router->get('{id}/files/filter/filename/{pattern}', [
         'uses' => 'Filters\FilenameController@index',
-    ]);
+    ])->where('pattern', '.*');
 
     $router->get('{id}/file-labels', [
         'uses' => 'UsedFileLabelsController@index',

diff --git a/tests/php/Http/Controllers/Api/Volumes/Filters/FilenameControllerTest.php b/tests/php/Http/Controllers/Api/Volumes/Filters/FilenameControllerTest.php
@@ -62,14 +62,32 @@ public function testIndexEscape()
     {
         $vid = $this->volume()->id;
 
-        $image = ImageTest::create([
+        $image1 = ImageTest::create([
             'volume_id' => $vid,
             'filename' => 'abcde.jpg',
         ]);
+        $image2 = ImageTest::create([
+            'volume_id' => $vid,
+            'filename' => '/.jpg'
+        ]);
+        $image3 = ImageTest::create([
+            'volume_id' => $vid,
+            'filename' => '%2F.jpg' // encodeURIComponent("/") yields "%2F"
+        ]);
+
+        $expectedResults = [
+            '*cde*%5C' => [],
+            '%2F.jpg' => [$image2->id], // "/.jpg"
+            '%2F*' => [$image2->id], // "/*"
+            '%25252F.jpg' => [$image3->id], // "%2F.jpg"
+        ];
+
         $this->beGuest();
-        $response = $this->json('GET', "/api/v1/volumes/{$vid}/files/filter/filename/*cde*%5C")
-            ->assertExactJson([]);
-        $response->assertStatus(200);
+        foreach ($expectedResults as $pattern => $expectedIds) {
+            $response = $this->json('GET', "/api/v1/volumes/{$vid}/files/filter/filename/{$pattern}")
+                ->assertExactJson($expectedIds);
+            $response->assertStatus(200);
+        }
     }
 
     public function testIndexVideo()