Informatics Virtual Learning Environment

Download content-disposition filename is not quoted

Reported by Matt Giuca on 2011-04-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
IVLE
High
Matt Giuca

Bug Description

The download service does not quote or escape the content-disposition filename field. This means any filenames with special characters will not be given the correct filename by the web browser.

For example, downloading a file "My file.txt" will produce the response header:

Content-Disposition: attachment; filename=My file.txt

The browser (at least Firefox) ignores everything after the space, so it just saves the file as "My".

I also managed to inject HTTP headers with this, by calling a file "test.pdf\nX-Malicious-Header: Contents\nX-Dummy: test.pdf". IVLE served this with response headers:

Content-Disposition: attachment; filename=test.pdf
X-Malicious-Header: Contents
X-Dummy: test.pdf

But I don't consider this to be a security vulnerability since it only works on the private Download link (The public Serve does not attempt to set content-disposition at all).

According to RFC 2183, it needs to be escaped with the quoting mechanism specified in RFC 2231 (which obsoletes 2184). I haven't found any way to do it (with a library) in Python, and people have said that browsers apparently don't all support 2184/2231. Maybe just drop the content-disposition header altogether?

Matt Giuca (mgiuca) on 2011-05-04
Changed in ivle:
importance: Medium → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers