Escape filenames with quotes in them, in Content-Disposition:attachment headers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Unassigned | ||
15.04 |
Fix Released
|
Medium
|
Unassigned | ||
15.10 |
Fix Released
|
Medium
|
Unassigned | ||
16.04 |
Fix Released
|
Medium
|
Unassigned | ||
16.10 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
If you give a file in Mahara a name that has doublequotes in it and try to download it, your browser will name the download "download.php" instead of the correct file name. This is because we're not properly escaping the double quotes in the filenames in the "Content-
In fact, in the relevant code in htdocs/
Well, I tracked it down to the RFCs recently to find out the right format for this. The Content-Disposition header's usage in HTTP headers is defined in RFC 6266: https:/
So there you go. We just need to replace any " in the filename with \"
Changed in mahara: | |
milestone: | 16.10.0 → none |
status: | Fix Committed → Fix Released |
To replicate:
1. Go to File -> Contents
2. Upload a file called test.txt
3. Once uploaded, click the pencil icon to edit test.txt
4. Change its name to t"est.txt (or something else with double quotes in or around it). Press "Save changes"
5. Click on the title of the file, to trigger a download
Expected result: The browser offers to download a file called t"est.txt
Actual result: The browser offers to download a file called t, or whatever portion of the filename preceeds the first double quote. If the first character in the filename is a double quote, the browser offers to download a file called "download.php".