[#3182] - [fix][#33344] Wrong filename detection of Content-Disposition URL headers
- Closed
- 14 Jul 2014
- Medium
- Build: staging
- # 3182
- Diff
- phproberto:download-package
- Foreign ID 33344
- Success The Travis CI build passed Details
User tests: Successful: Unsuccessful:
The problem is that the current download system tries to read the filename from the Content-Disposition expecting that filename is quoted but that's not required. So in some sites (in this example from Github) the update fails.
This is the expected header by the system:[Content-Disposition] => attachment; filename="plg_sys_mootable-1.1.1.zip"
This is the returned header from some sites: [Content-Disposition] => attachment; filename=plg_sys_mootable-1.1.1.zip
As you can see the filename comes without the double quotes. I replaced the file name detection to work with both systems because now it's based on the equal sign.
I provided a demo plugin to test the issue.
Tracker issue:
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=33344
oh! You are right. I'll add a comment.
Thanks!
Yes, this looks better than my #3151 hack - closing there.
In theory a filename might contain also a = sign, but this might be unlikely.
I think the best approach here would be a decent regex, but as long as it works for us now...
The thing that bugs me a bit is that there are appearently situations where this is not even nesesary. Note the debugging game i played with Brian in the other issue - I have no idea what happens here. Any idea ?
@test Solves the issue 
Thanks @elkuku. You are right. I've updated it to use a basic regexp check based on:
http://www.phpliveregex.com/p/3Xr
The only problem now would be files whose name start with a double quote:
$tests = array(
'plg_sys_mootable-1.1.1.zip' => '[Content-Disposition] => attachment; filename="plg_sys_mootable-1.1.1.zip"',
'plg_sys_m="ootable-1.1.1.zip' => '[Content-Disposition] => attachment; filename = "plg_sys_m="ootable-1.1.1.zip"',
'plg_sys_mootable-1.1.1.zip' => '[Content-Disposition] => attachment; filename=plg_sys_mootable-1.1.1.zip',
'"plg_sys_mootable-1.1.1.zip' => '[Content-Disposition] => attachment; filename = "plg_sys_mootable-1.1.1.zip',
);
foreach ($tests as $expected => $string)
{
$target = null;
if (preg_match("/\s*filename\s?=\s?(.*)/", $string, $parts))
{
$target = isset($parts[1]) ? trim($parts[1], '"') : null;
}
$result = ($target == $expected) ? 'OK' : 'ERROR';
echo $result . " > Expected: <strong>" . $expected . '</strong> | Obtained: <strong>' . $target . '</strong><br />';
}
OK > Expected: plg_sys_mootable-1.1.1.zip | Obtained: plg_sys_mootable-1.1.1.zip
OK > Expected: plg_sys_m="ootable-1.1.1.zip | Obtained: plg_sys_m="ootable-1.1.1.zip
ERROR > Expected: "plg_sys_mootable-1.1.1.zip | Obtained: plg_sys_mootable-1.1.1.zip
But I think we cover 99,9% of the results.
I think people should know that it is probably a bad idea to start a file name with a double quote, so we might disregard this case here... looks very good
I also found this document: https://tools.ietf.org/html/rfc6266#section-5 maybe we should take those other forms into account ?
Its an invalid character for a filename in windows and may be in some other operating systems
It's valid on UNIX systems, but it's still a bad idea
Oh, and BTW... @phproberto: the code you posted above might be a good base for a unit test 2
Is this the same issue as http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=30357&start=700
Reply is missing in the tracker for me, but no, it's not the same issue. The issue was 301/302 redirects when requesting the file, not Content-Disposition.
Rebased vs latest staging and added the rigth commit message to ease merging in the future.
Apparently some users don't have the issue. My system is running Ubuntu Linux 14.04
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-07-14 13:36:58 |
illovo
- 
Sounds like same as #3151? Alltough your code looks simpler