Merge pull request #10752 from Bo98/content-disposition-comment

download_strategy: add comment about Content-Disposition handling

Library/Homebrew/download_strategy.rb

@@ -458,6 +458,9 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
         filename = URI.decode_www_form_component(encoded_filename).encode(encoding) if encoding && encoded_filename
       end
 
+      # Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because:
+      # - Unpacking code assumes this is a single file - not something living in a subdirectory.
+      # - Directory traversal attacks are possible without limiting this to just the basename.
       (filename || content_disposition.filename).rpartition("/")[-1]
     end