RESOLVED FIXED 168839
Download attribute should be sanitized before being used as suggested filename 
https://bugs.webkit.org/show_bug.cgi?id=168839
Summary Download attribute should be sanitized before being used as suggested filename
Chris Dumez
Reported 2017-02-24 12:48:16 PST
Download attribute should be sanitized before being used as suggested filename for download.
Attachments
Patch (16.89 KB, patch)
2017-02-24 14:47 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (16.77 KB, patch)
2017-02-24 15:32 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (16.77 KB, patch)
2017-02-24 15:46 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-02-24 12:48:44 PST
<rdar://problem/30683109>
Chris Dumez
Comment 2 2017-02-24 14:47:55 PST
Created attachment 302692 [details] Patch
Chris Dumez
Comment 3 2017-02-24 14:51:42 PST
Comment on attachment 302692 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=302692&action=review > Source/WebCore/html/HTMLAnchorElement.cpp:384 > + downloadAttribute = ResourceResponse::sanitizeSuggestedFilename(attributeWithoutSynchronization(downloadAttr)); We could also use FileSystem.h 's encodeForFileName() but it does %-encoding and it would be inconsistent with what CFNetwork does.
Chris Dumez
Comment 4 2017-02-24 15:10:03 PST
Comment on attachment 302692 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=302692&action=review > LayoutTests/fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-unicode-expected.txt:2 > +Downloading URL with suggested filename "你好.png" This is due to bugzilla. The output does look correct locally.
Chris Dumez
Comment 5 2017-02-24 15:15:05 PST
Comment on attachment 302692 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=302692&action=review > Source/WebCore/platform/network/ResourceResponseBase.cpp:230 > + ResourceResponse response(URL(ParsedURLString, "http://example.com"), String(), -1, String()); We need a HTTP URL and a non-zero status code or ResourceResponse::initNSURLResponse() will not process the headers when constructing the NSURLResponse.
Darin Adler
Comment 6 2017-02-24 15:17:43 PST
Comment on attachment 302692 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=302692&action=review > Source/WebCore/platform/network/ResourceResponseBase.cpp:235 > + StringBuilder value; > + value.appendLiteral("attachment; filename=\""); > + value.append(suggestedFilename.replace("\"", "\\\"")); > + value.appendLiteral("\""); This could be done more efficiently without a StringBuilder: String value = makeString("attachment; filename=\"", suggestedFilename.replace("\"", "\\\""), ''"'); Or you could use operator+ if you like that syntax better than makeString. I’m also surprised that we don‘t have an overload of replace that takes a char for the first argument and a const char* for the second argument. If we do, then that should be used. > Source/WebCore/platform/network/ResourceResponseBase.h:117 > + WEBCORE_EXPORT static String sanitizeSuggestedFilename(String); Typically the argument would be a const String& rather than a String to avoid unnecessary reference count churn.
Chris Dumez
Comment 7 2017-02-24 15:19:00 PST
Comment on attachment 302692 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=302692&action=review >> Source/WebCore/platform/network/ResourceResponseBase.h:117 >> + WEBCORE_EXPORT static String sanitizeSuggestedFilename(String); > > Typically the argument would be a const String& rather than a String to avoid unnecessary reference count churn. This issue is that String::replace() is not const. I can make the parameter a const String&, but then I'll need a local variable.
Chris Dumez
Comment 8 2017-02-24 15:32:45 PST
Created attachment 302694 [details] Patch
Chris Dumez
Comment 9 2017-02-24 15:46:39 PST
Created attachment 302696 [details] Patch
Chris Dumez
Comment 10 2017-02-24 15:47:24 PST
(In reply to comment #6) > Comment on attachment 302692 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=302692&action=review > > > Source/WebCore/platform/network/ResourceResponseBase.cpp:235 > > + StringBuilder value; > > + value.appendLiteral("attachment; filename=\""); > > + value.append(suggestedFilename.replace("\"", "\\\"")); > > + value.appendLiteral("\""); > > This could be done more efficiently without a StringBuilder: > > String value = makeString("attachment; filename=\"", > suggestedFilename.replace("\"", "\\\""), ''"'); > > Or you could use operator+ if you like that syntax better than makeString. > > I’m also surprised that we don‘t have an overload of replace that takes a > char for the first argument and a const char* for the second argument. If we > do, then that should be used. We do have such overload. I am using it now. > > > Source/WebCore/platform/network/ResourceResponseBase.h:117 > > + WEBCORE_EXPORT static String sanitizeSuggestedFilename(String); > > Typically the argument would be a const String& rather than a String to > avoid unnecessary reference count churn.
Chris Dumez
Comment 11 2017-02-24 16:04:17 PST
Committed r212972: <http://trac.webkit.org/changeset/212972>
Michael Catanzaro
Comment 12 2017-02-25 08:33:18 PST
New tests are all failing for GTK, see bug #168871.
Note You need to log in before you can comment on or make changes to this bug.