Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.
fix: resolve 404/500 error when downloading files containing hash in filename (#15799)
### What?
Fixes file downloads returning 404 for filenames containing `#` when
served through the REST API.
### Why?
Next.js catch-all `[...slug]` params decodes URL-encoded segments before
passing them for further handling. So a request for
`/api/media/file/document%20%23123.pdf` arrives with slug segments
`['media', 'file', 'document #123.pdf']`.
These decoded segments are joined and passed to handleEndpoints, but the
implementation of handleEndpoints is using `path-to-regexp` with a
configuration that expectes urlencoded path segments.
### How?
Re-encode each slug segment with `encodeURIComponent` before joining:
handleEndpoints already uses match(endpoint.path, { decode:
decodeURIComponent }), so params are decoded back to their original
values after matching
Also adds a test that creates a file with # in the filename and verifies
it can be served via REST.
Fixes #15798
---------
Co-authored-by: Paul Popus <paul@payloadcms.com> A
Anders Semb Hermansen committed
3a09387e7b6a73cb625a84579ac702aecd3473f5
Parent: e284ab5
Committed by GitHub <noreply@github.com>
on 4/2/2026, 5:24:46 PM