Page MenuHomePhabricator

SpecialElectronPdf::sendPdfToOutput() - The content-disposition header should be sanitized
Closed, ResolvedPublic

Description

  • SpecialElectronPdf::sendPdfToOutput() - The content-disposition header should be sanitized.
    • Web browsers are supposed to only listen to the header if the suggested filename is sane. However as a precaution I think we should refuse to set the header to anything where the first character is a period or anything containing a /
    • I wonder if we should use $title->getPrefixedDBKey() instead of ->getPrefixedText() for the pdf name (Underscores seem more natural than spaces in a file name, to me). On the other hand, with modern GUI interfaces, spaces in file names are rather common, so maybe its fine to stick with the spaces
    • I believe the filename paramter should be a quoted string in case it has spaces in it. (e.g. filename="Foo \"baz\".pdf")
    • For filenames that are non-ascii, according to http://greenbytes.de/tech/tc2231/ you have to do something like Content-disposition: inline; filename*=UTF-8''%E0%A4%AE%E0%A5%81%E0%A4%96%E0%A4%AA%E0%A5%83%E0%A4%B7%E0%A5%8D%E0%A4%A0.pdf

Event Timeline

Addshore created this task.Nov 2 2016, 8:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 2 2016, 8:50 AM
Tobi_WMDE_SW moved this task from Proposed to Todo on the WMDE-QWERTY-Team board.Nov 2 2016, 10:09 AM
Tobi_WMDE_SW moved this task from Todo to Sprint ready on the WMDE-QWERTY-Team board.

Change 319595 had a related patch set uploaded (by Tobias Gritschacher):
Use MW function to generate Content-Disposition header

https://gerrit.wikimedia.org/r/319595

Change 319595 merged by jenkins-bot:
Use MW function to generate Content-Disposition header

https://gerrit.wikimedia.org/r/319595

WMDE-Fisch closed this task as Resolved.Nov 4 2016, 9:16 AM
WMDE-Fisch moved this task from Currently in sprint to Done on the WMDE-QWERTY-Team board.
Tobi_WMDE_SW moved this task from Done to Demoed on the WMDE-QWERTY-Team board.Nov 8 2016, 3:20 PM