Commit 367ce8a6 authored by Rolf Eike Beer's avatar Rolf Eike Beer
Browse files

fix filename security check being omitted on parse error in HTTP header

A header like this:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf";
  foo="bar; foo="baz"

would not have the path from the filename stripped because of the later parse
error.

This adds a unit test for this and some other cornercases.

CCBUG:278643

backport of 54e8eded
parent da03cc03
......@@ -22,6 +22,7 @@
#include <QUrl>
#include <kcodecs.h>
#include <kdebug.h>
// Advance *pos beyond spaces / tabs
static void skipSpace(const char input[], int *pos, int end)
......@@ -385,7 +386,7 @@ static QString extractMaybeQuotedUntil(const QString &str, QChar term, int &pos)
}
}
static QMap<QString, QString> contentDispositionParser(const QString &disposition)
static QMap<QString, QString> contentDispositionParserInternal(const QString &disposition)
{
kDebug(7113) << "disposition: " << disposition;
int pos = 0;
......@@ -516,6 +517,13 @@ static QMap<QString, QString> contentDispositionParser(const QString &dispositio
parameters.insert( i.key(), val );
}
return parameters;
}
static QMap<QString, QString> contentDispositionParser(const QString &disposition)
{
QMap<QString, QString> parameters = contentDispositionParserInternal(disposition);
const QLatin1String fn("filename");
if( parameters.contains(fn) ) {
// Content-Disposition is not allowed to dictate directory
......
......@@ -144,7 +144,15 @@ static const struct {
// "wrong" element ordering and encoding
{ "attachment; filename*1=\"html\"; filename*0*=us-ascii''foo.",
"type\tattachment\n"
"filename\tfoo.html" }
"filename\tfoo.html" },
// we ignore any path given in the header and use only the filename
{ "attachment; filename=\"/etc/shadow\"",
"type\tattachment\n"
"filename\tshadow" },
// we ignore any path given in the header and use only the filename even if there is an error later
{ "attachment; filename=\"/etc/shadow\"; foo",
"type\tattachment\n"
"filename\tshadow" }
};
#if 0
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment