Commit aa8c6760 authored by Aaron Wells's avatar Aaron Wells

Escape double-quotes in filname, in Content-Disposition header

Bug 1578512: As specified in RFC 6266, the filename is a
"quoted-string", and as specified in RFC 2616 double quotes
within a quoted-string should be escaped with a backslash.

Change-Id: Id9d069a976406a82a6f0b6db92c696f700e00469
behatnotneeded: Can't test file uploads in behat yet
parent 9458f496
......@@ -84,10 +84,10 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
// @todo possibly need addslashes on the filename, but I'm unsure on exactly
// how the browsers will handle it.
if ($mimetype == 'application/forcedownload' || isset($options['forcedownload'])) {
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Content-Disposition: attachment; filename="' . str_replace('"', '\"', $filename) . '"');
}
else {
header('Content-Disposition: inline; filename="' . $filename . '"');
header('Content-Disposition: inline; filename="' . str_replace('"', '\"', $filename) . '"');
}
header('X-Content-Type-Options: nosniff');
......
......@@ -282,6 +282,6 @@ if (!empty($exportskins)) {
$content = $xmldoc->saveXML();
header('Content-Type: text/xml; charset=utf-8');
header('Content-Disposition: attachment; filename=' . $xmlfilename . '.xml');
header('Content-Disposition: attachment; filename=' . str_replace('"', '\"', $xmlfilename) . '.xml');
echo($content);
exit;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment