From 513b3863d999f91b47d7e9f26710390db55f9463 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Thu, 14 Jan 2016 14:28:37 +0100 Subject: ui-shared: prevent malicious filename from injecting headers --- ui-shared.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'ui-shared.c') diff --git a/ui-shared.c b/ui-shared.c index 21f581f..54bbde7 100644 --- a/ui-shared.c +++ b/ui-shared.c @@ -692,9 +692,11 @@ void cgit_print_http_headers(void) htmlf("Content-Type: %s\n", ctx.page.mimetype); if (ctx.page.size) htmlf("Content-Length: %zd\n", ctx.page.size); - if (ctx.page.filename) - htmlf("Content-Disposition: inline; filename=\"%s\"\n", - ctx.page.filename); + if (ctx.page.filename) { + html("Content-Disposition: inline; filename=\""); + html_header_arg_in_quotes(ctx.page.filename); + html("\"\n"); + } if (!ctx.env.authenticated) html("Cache-Control: no-cache, no-store\n"); htmlf("Last-Modified: %s\n", http_date(ctx.page.modified)); -- cgit v1.2.1