Reviewed: https://reviews.mahara.org/6457 Committed: https://git.mahara.org/mahara/mahara/commit/aa8c67601ec68f2b831335b394ba6731d4cf4d55 Submitter: Robert Lyon ([email protected]) Branch: master
commit aa8c67601ec68f2b831335b394ba6731d4cf4d55 Author: Aaron Wells <[email protected]> Date: Thu May 5 18:47:52 2016 +1200 Escape double-quotes in filname, in Content-Disposition header Bug 1578512: As specified in RFC 6266, the filename is a "quoted-string", and as specified in RFC 2616 double quotes within a quoted-string should be escaped with a backslash. Change-Id: Id9d069a976406a82a6f0b6db92c696f700e00469 behatnotneeded: Can't test file uploads in behat yet -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1578512 Title: Escape filenames with quotes in them, in Content- Disposition:attachment headers Status in Mahara: Fix Committed Status in Mahara 15.04 series: In Progress Status in Mahara 15.10 series: In Progress Status in Mahara 16.04 series: In Progress Status in Mahara 16.10 series: Fix Committed Bug description: If you give a file in Mahara a name that has doublequotes in it and try to download it, your browser will name the download "download.php" instead of the correct file name. This is because we're not properly escaping the double quotes in the filenames in the "Content- Disposition" header. In fact, in the relevant code in htdocs/lib/file.php, there's a note from 2007: "@todo possibly need addslashes on the filename, but I'm unsure on exactly how the browsers will handle it." Well, I tracked it down to the RFCs recently to find out the right format for this. The Content-Disposition header's usage in HTTP headers is defined in RFC 6266: https://tools.ietf.org/html/rfc6266#section-4.1 . The filename there is defined to be a "quoted-string". The format of quoted-string is defined in RFC2616: https://tools.ietf.org/html/rfc2616#section-2.2 There, it says that if your quoted string contains double quotes, you can escape them with a single backslash. So there you go. We just need to replace any " in the filename with \" To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1578512/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
