Merge pull request #15024 from bevanjkay/download-strategy

download_strategy: fix case where filename cannot be parsed
2023-03-21 12:37:35 +00:00 · 2023-03-21 12:37:35 +00:00 · 8c6f31a7ac
commit 8c6f31a7ac
parent 121d91fdab d3d372d6f5
1 changed files with 4 additions and 1 deletions
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@ -491,10 +491,13 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
        end
      end

+      filename = content_disposition.filename if filename.blank?
+      next if filename.blank?
+
      # Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because:
      # - Unpacking code assumes this is a single file - not something living in a subdirectory.
      # - Directory traversal attacks are possible without limiting this to just the basename.
-      File.basename(filename || content_disposition.filename)
+      File.basename(filename)
    end

    filenames = lines.map(&parse_content_disposition).compact