On 7/10/19 10:06 am, Dave Reisner wrote: > Downloads with a Content-Disposition header will typically not include > slashes. When they do, we should most certainly only take the basename, > but when they don't, we should treat the header value as the filename. > > Crash introduced in d197d8ab82cf when we started using get_filename > in order to rightfully avoid an arbitrary file overwrite vulnerability. > --- > lib/libalpm/dload.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-)
Pulled. A
