Commit 4077bd26 authored by Rolf Eike Beer's avatar Rolf Eike Beer Committed by Rolf Eike Beer
Browse files

fix filename security check being omitted on parse error in HTTP header

A header like this:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf";
  foo="bar; foo="baz"

would not have the path from the filename stripped because of the later parse
error.

This adds a unit test for this and some other cornercases.

CCBUG:278643
FIXED-IN:4.7.1

backport of 54e8eded
parent 9e03aa21
......@@ -23,6 +23,7 @@
#include <QUrl>
#include <kcodecs.h>
#include <kdebug.h>
// Advance *pos beyond spaces / tabs
static void skipSpace(const char input[], int *pos, int end)
......@@ -400,7 +401,7 @@ static QString extractMaybeQuotedUntil(const QString &str, int &pos)
}
}
static QMap<QString, QString> contentDispositionParser(const QString &disposition)
static QMap<QString, QString> contentDispositionParserInternal(const QString &disposition)
{
kDebug(7113) << "disposition: " << disposition;
int pos = 0;
......@@ -423,7 +424,7 @@ static QMap<QString, QString> contentDispositionParser(const QString &dispositio
if (key.isEmpty()) {
// parse error in this key: do not parse more, but add up
// everything we already got
kDebug(7113) << "parse error, abort parsing";
kDebug(7113) << "parse error in key, abort parsing";
break;
}
......@@ -436,7 +437,7 @@ static QMap<QString, QString> contentDispositionParser(const QString &dispositio
if (val.isEmpty()) {
if (pos == -1) {
kDebug(7113) << "parse error, abort parsing";
kDebug(7113) << "parse error in value, abort parsing";
break;
}
continue;
......@@ -551,6 +552,13 @@ static QMap<QString, QString> contentDispositionParser(const QString &dispositio
}
}
return parameters;
}
static QMap<QString, QString> contentDispositionParser(const QString &disposition)
{
QMap<QString, QString> parameters = contentDispositionParserInternal(disposition);
const QLatin1String fn("filename");
if (parameters.contains(fn)) {
// Content-Disposition is not allowed to dictate directory
......
......@@ -194,6 +194,20 @@ static const struct {
"filename\tfoo-ä-€.html" },
// missing closing quote, so parameter is broken
{ "attachment; filename=\"bar",
"type\tattachment" },
// we ignore any path given in the header and use only the filename
{ "attachment; filename=\"/etc/shadow\"",
"type\tattachment\n"
"filename\tshadow" },
// we ignore any path given in the header and use only the filename even if there is an error later
{ "attachment; filename=\"/etc/shadow\"; foo=\"baz\"; foo=\"bar\"",
"type\tattachment\n"
"filename\tshadow" },
// control characters are forbidden in the quoted string
{ "attachment; filename=\"foo\003\"",
"type\tattachment" },
// duplicate keys must be ignored
{ "attachment; filename=\"bar\"; filename*0=\"foo.\"; filename*1=\"html\"",
"type\tattachment" }
};
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment