From 977cad159956a9306f9fe55c7ab743da8971e0c4 Mon Sep 17 00:00:00 2001
From: Bo Anderson <mail@boanderson.me>
Date: Tue, 16 Mar 2021 13:00:12 +0000
Subject: [PATCH] download_strategy: take basename of
 response-content-disposition query

---
 Library/Homebrew/download_strategy.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb
index bf52bc08a2..9b6292a3ef 100644
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@@ -313,7 +313,7 @@ class AbstractFileDownloadStrategy < AbstractDownloadStrategy
         query_params = CGI.parse(uri.query)
         query_params["response-content-disposition"].each do |param|
           query_basename = param[/attachment;\s*filename=(["']?)(.+)\1/i, 2]
-          return query_basename if query_basename
+          return File.basename(query_basename) if query_basename
         end
       end
 
@@ -463,7 +463,7 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
       # Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because:
       # - Unpacking code assumes this is a single file - not something living in a subdirectory.
       # - Directory traversal attacks are possible without limiting this to just the basename.
-      (filename || content_disposition.filename).rpartition("/")[-1]
+      File.basename(filename || content_disposition.filename)
     end
 
     filenames = lines.map(&parse_content_disposition).compact