Download content-disposition filename is not quoted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
IVLE |
Triaged
|
High
|
Matt Giuca |
Bug Description
The download service does not quote or escape the content-disposition filename field. This means any filenames with special characters will not be given the correct filename by the web browser.
For example, downloading a file "My file.txt" will produce the response header:
Content-
The browser (at least Firefox) ignores everything after the space, so it just saves the file as "My".
I also managed to inject HTTP headers with this, by calling a file "test.pdf\
Content-
X-Malicious-Header: Contents
X-Dummy: test.pdf
But I don't consider this to be a security vulnerability since it only works on the private Download link (The public Serve does not attempt to set content-disposition at all).
According to RFC 2183, it needs to be escaped with the quoting mechanism specified in RFC 2231 (which obsoletes 2184). I haven't found any way to do it (with a library) in Python, and people have said that browsers apparently don't all support 2184/2231. Maybe just drop the content-disposition header altogether?
Changed in ivle: | |
importance: | Medium → High |