admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

download_strategy: fix case where filename cannot be parsed

Browse Source
This commit is contained in:
Bevan Kay 2023-03-21 09:12:07 +11:00
parent ffa7ee0112
commit f197f164c8
No known key found for this signature in database
GPG Key ID: C55CB024B5314B57
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Library/Homebrew/download_strategy.rb
View File

@ -491,10 +491,13 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
end end
end end
filename ||= content_disposition.filename
next if filename.nil?
# Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because: # Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because:
# - Unpacking code assumes this is a single file - not something living in a subdirectory. # - Unpacking code assumes this is a single file - not something living in a subdirectory.
# - Directory traversal attacks are possible without limiting this to just the basename. # - Directory traversal attacks are possible without limiting this to just the basename.
File.basename(filename || content_disposition.filename) File.basename(filename)
end end
filenames = lines.map(&parse_content_disposition).compact filenames = lines.map(&parse_content_disposition).compact