Commit d84ee5d6 authored by Aaron Wells's avatar Aaron Wells Committed by Robert Lyon

Escape double-quotes in filname, in Content-Disposition header

Bug 1578512: As specified in RFC 6266, the filename is a
"quoted-string", and as specified in RFC 2616 double quotes
within a quoted-string should be escaped with a backslash.

Change-Id: Id9d069a976406a82a6f0b6db92c696f700e00469
behatnotneeded: Can't test file uploads in behat yet
(cherry picked from commit aa8c6760)
parent c5e652b7
...@@ -84,10 +84,10 @@ function serve_file($path, $filename, $mimetype, $options=array()) { ...@@ -84,10 +84,10 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
// @todo possibly need addslashes on the filename, but I'm unsure on exactly // @todo possibly need addslashes on the filename, but I'm unsure on exactly
// how the browsers will handle it. // how the browsers will handle it.
if ($mimetype == 'application/forcedownload' || isset($options['forcedownload'])) { if ($mimetype == 'application/forcedownload' || isset($options['forcedownload'])) {
header('Content-Disposition: attachment; filename="' . $filename . '"'); header('Content-Disposition: attachment; filename="' . str_replace('"', '\"', $filename) . '"');
} }
else { else {
header('Content-Disposition: inline; filename="' . $filename . '"'); header('Content-Disposition: inline; filename="' . str_replace('"', '\"', $filename) . '"');
} }
header('X-Content-Type-Options: nosniff'); header('X-Content-Type-Options: nosniff');
......
...@@ -282,6 +282,6 @@ if (!empty($exportskins)) { ...@@ -282,6 +282,6 @@ if (!empty($exportskins)) {
$content = $xmldoc->saveXML(); $content = $xmldoc->saveXML();
header('Content-Type: text/xml; charset=utf-8'); header('Content-Type: text/xml; charset=utf-8');
header('Content-Disposition: attachment; filename=' . $xmlfilename . '.xml'); header('Content-Disposition: attachment; filename=' . str_replace('"', '\"', $xmlfilename) . '.xml');
echo($content); echo($content);
exit; exit;
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment