mahara-contributors team mailing list archive

[Aaron Wells <1578512@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

If you give a file in Mahara a name that has doublequotes in it and try
to download it, your browser will name the download "download.php"
instead of the correct file name. This is because we're not properly
escaping the double quotes in the filenames in the "Content-Disposition"
header.

In fact, in the relevant code in htdocs/lib/file.php, there's a note
from 2007: "@todo possibly need addslashes on the filename, but I'm
unsure on exactly how the browsers will handle it."

Well, I tracked it down to the RFCs recently to find out the right
format for this. The Content-Disposition header's usage in HTTP headers
is defined in RFC 6266: https://tools.ietf.org/html/rfc6266#section-4.1
. The filename there is defined to be a "quoted-string". The format of
quoted-string is defined in RFC2616:
https://tools.ietf.org/html/rfc2616#section-2.2 There, it says that if
your quoted string contains double quotes, you can escape them with a
single backslash.

So there you go. We just need to replace any " in the filename with \"

** Affects: mahara
     Importance: Medium
         Status: In Progress

** Affects: mahara/15.04
     Importance: Medium
         Status: In Progress

** Affects: mahara/15.10
     Importance: Medium
         Status: In Progress

** Affects: mahara/16.04
     Importance: Medium
         Status: In Progress

** Affects: mahara/16.10
     Importance: Medium
         Status: In Progress

** Also affects: mahara/15.04
   Importance: Undecided
       Status: New

** Also affects: mahara/16.10
   Importance: Undecided
       Status: New

** Also affects: mahara/15.10
   Importance: Undecided
       Status: New

** Also affects: mahara/16.04
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1578512

Title:
  Escape filenames with quotes in them, in Content-
  Disposition:attachment headers

Status in Mahara:
  In Progress
Status in Mahara 15.04 series:
  In Progress
Status in Mahara 15.10 series:
  In Progress
Status in Mahara 16.04 series:
  In Progress
Status in Mahara 16.10 series:
  In Progress

Bug description:
  If you give a file in Mahara a name that has doublequotes in it and
  try to download it, your browser will name the download "download.php"
  instead of the correct file name. This is because we're not properly
  escaping the double quotes in the filenames in the "Content-
  Disposition" header.

  In fact, in the relevant code in htdocs/lib/file.php, there's a note
  from 2007: "@todo possibly need addslashes on the filename, but I'm
  unsure on exactly how the browsers will handle it."

  Well, I tracked it down to the RFCs recently to find out the right
  format for this. The Content-Disposition header's usage in HTTP
  headers is defined in RFC 6266:
  https://tools.ietf.org/html/rfc6266#section-4.1 . The filename there
  is defined to be a "quoted-string". The format of quoted-string is
  defined in RFC2616: https://tools.ietf.org/html/rfc2616#section-2.2
  There, it says that if your quoted string contains double quotes, you
  can escape them with a single backslash.

  So there you go. We just need to replace any " in the filename with \"

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1578512/+subscriptions