download_strategy: fix case where filename cannot be parsed

2023-03-21 09:12:07 +11:00 · 2023-03-21 09:12:07 +11:00 · f197f164c8
commit f197f164c8
parent ffa7ee0112
1 changed files with 4 additions and 1 deletions
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@ -491,10 +491,13 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
        end
      end

+      filename ||= content_disposition.filename
+      next if filename.nil?
+
      # Servers may include '/' in their Content-Disposition filename header. Take only the basename of this, because:
      # - Unpacking code assumes this is a single file - not something living in a subdirectory.
      # - Directory traversal attacks are possible without limiting this to just the basename.
-      File.basename(filename || content_disposition.filename)
+      File.basename(filename)
    end

    filenames = lines.map(&parse_content_disposition).compact