mahara-contributors team mailing list archive

Thread
Date

[Bug 1578512] Re: Escape filenames with quotes in them, in Content-Disposition:attachment headers

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1578512@xxxxxxxxxxxxxxxxxx>
Date: Thu, 05 May 2016 06:44:10 -0000
Reply-to: Bug 1578512 <1578512@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

To replicate:

1. Go to File -> Contents
2. Upload a file called test.txt
3. Once uploaded, click the pencil icon to edit test.txt
4. Change its name to t"est.txt (or something else with double quotes in or around it). Press "Save changes"
5. Click on the title of the file, to trigger a download

Expected result: The browser offers to download a file called t"est.txt

Actual result: The browser offers to download a file called t, or
whatever portion of the filename preceeds the first double quote. If the
first character in the filename is a double quote, the browser offers to
download a file called "download.php".

** Changed in: mahara/15.04
       Status: New => Confirmed

** Changed in: mahara/15.04
       Status: Confirmed => In Progress

** Changed in: mahara/15.10
       Status: New => In Progress

** Changed in: mahara/16.04
       Status: New => In Progress

** Changed in: mahara/16.10
       Status: New => In Progress

** Changed in: mahara/15.04
   Importance: Undecided => Medium

** Changed in: mahara/15.10
   Importance: Undecided => Medium

** Changed in: mahara/16.04
   Importance: Undecided => Medium

** Changed in: mahara/16.10
   Importance: Undecided => Medium

** Changed in: mahara/15.04
    Milestone: None => 15.04.8

** Changed in: mahara/15.10
    Milestone: None => 15.10.4

** Changed in: mahara/16.04
    Milestone: None => 16.04.1

** Changed in: mahara/16.10
    Milestone: None => 16.10.0

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1578512

Title:
  Escape filenames with quotes in them, in Content-
  Disposition:attachment headers

Status in Mahara:
  In Progress
Status in Mahara 15.04 series:
  In Progress
Status in Mahara 15.10 series:
  In Progress
Status in Mahara 16.04 series:
  In Progress
Status in Mahara 16.10 series:
  In Progress

Bug description:
  If you give a file in Mahara a name that has doublequotes in it and
  try to download it, your browser will name the download "download.php"
  instead of the correct file name. This is because we're not properly
  escaping the double quotes in the filenames in the "Content-
  Disposition" header.

  In fact, in the relevant code in htdocs/lib/file.php, there's a note
  from 2007: "@todo possibly need addslashes on the filename, but I'm
  unsure on exactly how the browsers will handle it."

  Well, I tracked it down to the RFCs recently to find out the right
  format for this. The Content-Disposition header's usage in HTTP
  headers is defined in RFC 6266:
  https://tools.ietf.org/html/rfc6266#section-4.1 . The filename there
  is defined to be a "quoted-string". The format of quoted-string is
  defined in RFC2616: https://tools.ietf.org/html/rfc2616#section-2.2
  There, it says that if your quoted string contains double quotes, you
  can escape them with a single backslash.

  So there you go. We just need to replace any " in the filename with \"

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1578512/+subscriptions

References

[Bug 1578512] [NEW] Escape filenames with quotes in them, in Content-Disposition:attachment headers
From: Aaron Wells, 2016-05-05