gitweb: Quote filename in HTTP Content-Disposition: header

Finish work started by commit a2f3db2 (although not documented in commit message) of quoting using quotemeta the filename in HTTP -content_disposition header. Just in case filename contains end of line character. Also use consistent coding style to compute -content_disposition parameter. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <junkio@cox.net>
19 years ago · ab41dfbfd4
1 changed files with 9 additions and 8 deletions
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@ -2320,7 +2320,7 @@ sub git_project_index {
				@@ -2320,7 +2320,7 @@ sub git_project_index {
 	print $cgi->header(
 		-type => 'text/plain',
 		-charset => 'utf-8',
-		-content_disposition => qq(inline; filename="index.aux"));
+		-content_disposition => 'inline; filename="index.aux"');

 	foreach my $pr (@projects) {
 		if (!exists $pr->{'owner'}) {
@ -2682,7 +2682,7 @@ sub git_blob_plain {
				@@ -2682,7 +2682,7 @@ sub git_blob_plain {
 	print $cgi->header(
 		-type => "$type",
 		-expires=>$expires,
-		-content_disposition => "inline; filename=\"$save_as\"");
+		-content_disposition => 'inline; filename="' . quotemeta($save_as) . '"');
 	undef $/;
 	binmode STDOUT, ':raw';
 	print <$fd>;
@ -2856,10 +2856,11 @@ sub git_snapshot {
				@@ -2856,10 +2856,11 @@ sub git_snapshot {

 	my $filename = basename($project) . "-$hash.tar.$suffix";

-	print $cgi->header(-type => 'application/x-tar',
-	                   -content_encoding => $ctype,
-	                   -content_disposition => "inline; filename=\"$filename\"",
-	                   -status => '200 OK');
+	print $cgi->header(
+		-type => 'application/x-tar',
+		-content_encoding => $ctype,
+		-content_disposition => 'inline; filename="' . quotemeta($filename) . '"',
+		-status => '200 OK');

 	my $git_command = git_cmd_str();
 	open my $fd, "-|", "$git_command tar-tree $hash \'$project\' | $command" or
@ -3169,7 +3170,7 @@ sub git_blobdiff {
				@@ -3169,7 +3170,7 @@ sub git_blobdiff {
 			-type => 'text/plain',
 			-charset => 'utf-8',
 			-expires => $expires,
-			-content_disposition => qq(inline; filename=") . quotemeta($file_name) . qq(.patch"));
+			-content_disposition => 'inline; filename="' . quotemeta($file_name) . '.patch"');

 		print "X-Git-Url: " . $cgi->self_url() . "\n\n";

@ -3272,7 +3273,7 @@ sub git_commitdiff {
				@@ -3272,7 +3273,7 @@ sub git_commitdiff {
 			-type => 'text/plain',
 			-charset => 'utf-8',
 			-expires => $expires,
-			-content_disposition => qq(inline; filename="$filename"));
+			-content_disposition => 'inline; filename="' . quotemeta($filename) . '"');
 		my %ad = parse_date($co{'author_epoch'}, $co{'author_tz'});
 		print <<TEXT;
 From: $co{'author'}