`passim_server_msg_send_item()`: quotes in filenames break "Content-Disposition" HTTP header
mgerstner opened this issue · comments
In passim_server_msg_send_item() we find the following line for constructing a Content-Disposition HTTP header:
content_disposition =
g_strdup_printf("attachment; filename=\"%s\"", passim_item_get_basename(item));
Since filenames might also contain quotes, the header can break:
# dd if=/dev/random bs=32 count=1 >'my"file'
# passim publish my\"file
Published: 8dc4f71039ad19361807599d417117f23eea3a335ecd23dd8e578ddaf49f0067 my"file age:5402/86400 share:0/5 size:32 bytes
# curl -v -k 'https://localhost:27500/myfile?sha256=8dc4f71039ad19361807599d417117f23eea3a335ecd23dd8e578ddaf49f0067' |& grep Content-Disposition
< Content-Disposition: attachment; filename="my"file"
What the repercussions of this are depends on the client that downloads the file. A test in Firefox shows that the file will be downloaded with a basename of my
only. It shouldn't be problematic security wise.
To fix this, instead of dealing with quoting, passim could also simply reject files with quotes in them.
I verified this fix.