admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

download_strategy: take basename of response-content-disposition query

Browse Source
This commit is contained in:
Bo Anderson 2021-03-16 13:00:12 +00:00
parent 234fae6bd6
commit 977cad1599
No known key found for this signature in database
GPG Key ID: 3DB94E204E137D65
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Library/Homebrew/download_strategy.rb
View File

@ -313,7 +313,7 @@ class AbstractFileDownloadStrategy < AbstractDownloadStrategy
query_params = CGI.parse(uri.query) query_params = CGI.parse(uri.query)
query_params["response-content-disposition"].each do |param| query_params["response-content-disposition"].each do |param|
query_basename = param[/attachment;\s*filename=(["']?)(.+)\1/i, 2] query_basename = param[/attachment;\s*filename=(["']?)(.+)\1/i, 2]
return query_basename if query_basename return File.basename(query_basename) if query_basename
end end
end end
@ -463,7 +463,7 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
# Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because: # Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because:
# - Unpacking code assumes this is a single file - not something living in a subdirectory. # - Unpacking code assumes this is a single file - not something living in a subdirectory.
# - Directory traversal attacks are possible without limiting this to just the basename. # - Directory traversal attacks are possible without limiting this to just the basename.
(filename || content_disposition.filename).rpartition("/")[-1] File.basename(filename || content_disposition.filename)
end end
filenames = lines.map(&parse_content_disposition).compact filenames = lines.map(&parse_content_disposition).compact