From d330e915d13c11a4701c7e9e159a93140cfac7cd Mon Sep 17 00:00:00 2001
From: Bo Anderson <mail@boanderson.me>
Date: Mon, 1 Mar 2021 13:59:05 +0000
Subject: [PATCH] download_strategy: add comment about Content-Disposition
 handling

---
 Library/Homebrew/download_strategy.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb
index 936eac09b0..728c4e8189 100644
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@@ -458,6 +458,9 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
         filename = URI.decode_www_form_component(encoded_filename).encode(encoding) if encoding && encoded_filename
       end
 
+      # Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because:
+      # - Unpacking code assumes this is a single file - not something living in a subdirectory.
+      # - Directory traversal attacks are possible without limiting this to just the basename.
       (filename || content_disposition.filename).rpartition("/")[-1]
     end