diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb
index 936eac09b0..728c4e8189 100644
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@@ -458,6 +458,9 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
         filename = URI.decode_www_form_component(encoded_filename).encode(encoding) if encoding && encoded_filename
       end
 
+      # Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because:
+      # - Unpacking code assumes this is a single file - not something living in a subdirectory.
+      # - Directory traversal attacks are possible without limiting this to just the basename.
       (filename || content_disposition.filename).rpartition("/")[-1]
     end