`passim_server_msg_send_item()`: quotes in filenames break "Content-Disposition" HTTP header

Question

`passim_server_msg_send_item()`: quotes in filenames break "Content-Disposition" HTTP header

mgerstner opened this issue 9 months ago · comments

Matthias Gerstner commented 9 months ago

In passim_server_msg_send_item() we find the following line for constructing a Content-Disposition HTTP header:

	content_disposition =
	    g_strdup_printf("attachment; filename=\"%s\"", passim_item_get_basename(item));

Since filenames might also contain quotes, the header can break:

# dd if=/dev/random bs=32 count=1 >'my"file'
# passim publish my\"file
Published: 8dc4f71039ad19361807599d417117f23eea3a335ecd23dd8e578ddaf49f0067 my"file age:5402/86400 share:0/5 size:32 bytes
# curl -v -k 'https://localhost:27500/myfile?sha256=8dc4f71039ad19361807599d417117f23eea3a335ecd23dd8e578ddaf49f0067' |& grep Content-Disposition
< Content-Disposition: attachment; filename="my"file"

What the repercussions of this are depends on the client that downloads the file. A test in Firefox shows that the file will be downloaded with a basename of my only. It shouldn't be problematic security wise.

To fix this, instead of dealing with quoting, passim could also simply reject files with quotes in them.

Matthias Gerstner · Answer 1 · Fri Oct 27 2023 19:35:49 GMT+0800 (China Standard Time)

I verified this fix.