[Mahara-contributors] [Bug 1578512] Re: Escape filenames with quotes in them, in Content-Disposition:attachment headers

Mon, 11 Jul 2016 13:51:34 -0700 

** Changed in: mahara/15.04
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1578512

Title:
  Escape filenames with quotes in them, in Content-
  Disposition:attachment headers

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Released
Status in Mahara 15.10 series:
  Fix Released
Status in Mahara 16.04 series:
  Fix Released
Status in Mahara 16.10 series:
  Fix Committed

Bug description:
  If you give a file in Mahara a name that has doublequotes in it and
  try to download it, your browser will name the download "download.php"
  instead of the correct file name. This is because we're not properly
  escaping the double quotes in the filenames in the "Content-
  Disposition" header.

  In fact, in the relevant code in htdocs/lib/file.php, there's a note
  from 2007: "@todo possibly need addslashes on the filename, but I'm
  unsure on exactly how the browsers will handle it."

  Well, I tracked it down to the RFCs recently to find out the right
  format for this. The Content-Disposition header's usage in HTTP
  headers is defined in RFC 6266:
  https://tools.ietf.org/html/rfc6266#section-4.1 . The filename there
  is defined to be a "quoted-string". The format of quoted-string is
  defined in RFC2616: https://tools.ietf.org/html/rfc2616#section-2.2
  There, it says that if your quoted string contains double quotes, you
  can escape them with a single backslash.

  So there you go. We just need to replace any " in the filename with \"

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1578512/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to