github
/
aria2
mirror of https://github.com/aria2/aria2
1
0
Fork 0
Code Issues Releases Wiki Activity

Don't percent-decode filename value in Content-Disposition. 

We only percent-decode filename* value in Content-Disposition because
the encoding is fully specified. But since filename value is not, so
we just accept it as is.
pull/22/head
Tatsuhiro Tsujikawa 2012-06-28 23:18:50 +09:00
parent c30ea8adeb
commit f1017d5def
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/util.cc
View File

@ -929,8 +929,9 @@ std::string getContentDispositionFilename(const std::string& header)
filenameLast = value.end();
}
static const std::string TRIMMED("\r\n\t '\"");
value = percentDecode(value.begin(), filenameLast);
value = strip(value, TRIMMED);
std::pair<std::string::iterator, std::string::iterator> vi =
util::stripIter(value.begin(), filenameLast, TRIMMED);
value.assign(vi.first, vi.second);
value.erase(std::remove(value.begin(), value.end(), '\\'), value.end());
if(!detectDirTraversal(value) && value.find("/") == std::string::npos) {
filename = value;

4
test/UtilTest.cc
View File

@ -872,8 +872,10 @@ void UtilTest::testGetContentDispositionFilename() {
CPPUNIT_ASSERT_EQUAL(std::string("foo;bar"),
util::getContentDispositionFilename(semicolonInside));
// Unescaping %2E%2E%2F produces "../". But since we won't unescape,
// we just accept it as is.
CPPUNIT_ASSERT_EQUAL
(std::string(""),
(std::string("%2E%2E%2Ffoo.html"),
util::getContentDispositionFilename("filename=\"%2E%2E%2Ffoo.html\""));
// RFC2231 Section4