Skip to content
Browse files

Disallow low ASCII characters in content-disposition filename. Issue #…

  • Loading branch information...
1 parent 19ac54e commit 1269a922302717521d330ba4955b30ff1d422c66 @drbrain drbrain committed
Showing with 19 additions and 1 deletion.
  1. +1 −1 lib/mechanize/parser.rb
  2. +18 −0 test/test_mechanize_parser.rb
View
2 lib/mechanize/parser.rb
@@ -123,7 +123,7 @@ def extract_filename full_path = @full_path
filename = "_#{filename}"
end
- filename = filename.tr '<>:"\/\\|?*', '_'
+ filename = filename.tr "\x00-\x1f<>:\"/\\|?*", '_'
@filename = if full_path then
File.join @uri.host, path, filename
View
18 test/test_mechanize_parser.rb
@@ -112,6 +112,24 @@ def test_extract_filename_content_disposition_full_path
assert_equal 'example/genome.jpeg', @parser.extract_filename(true)
end
+ def test_extract_filename_content_disposition_special
+ @parser.uri = URI 'http://example/foo'
+
+ @parser.response = {
+ 'content-disposition' => 'attachment; filename=/\\<>:"|?*'
+ }
+
+ assert_equal '_______', @parser.extract_filename
+
+ chars = (0..31).map { |c| c.chr }.join
+
+ @parser.response = {
+ 'content-disposition' => "attachment; filename=#{chars}"
+ }
+
+ assert_equal '_' * 32, @parser.extract_filename
+ end
+
def test_extract_filename_content_disposition_windows_special
@parser.uri = URI 'http://example'

0 comments on commit 1269a92

Please sign in to comment.
Something went wrong with that request. Please try again.