Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Issue G: Unescaped Characters Put Into Content-Disposition Header #832
Synopsis: When the whistleblower uploads a file, they provide its file name. That file name is stored in
added a commit
Apr 9, 2014
in order to address this issue i've applied the following changes:
related to the http split injection i've further investigated and it does not sussist. in fact the set_header function of cyclone calls the _convert_header_value that prevent usage of the following values [\x00-\x1f].
in addition as suggested i've corretly url encoded/decoded the filename as suggested in the report by using the standard urllib.encode/decode.
can you please validate the solution?
The simplest 'correct' way to do it is to put the filename in the URL of the download link or button, then don't set the filename with
Then have the server just ignore the last