Bug 278643

Summary: Path not stripped from HTTP Content-Disposition header on later error
Product: [Frameworks and Libraries] kio Reporter: Rolf Eike Beer <kde>
Component: httpAssignee: kdelibs bugs <kdelibs-bugs>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version: SVN   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In: 4.7.1

Description Rolf Eike Beer 2011-07-27 20:08:48 UTC
Version:           Git (using Devel) 
OS:                Linux

When the HTTP server gives us a Content-Disposition header that contains a filename with path we will strip the path so the server will not e.g. overwrite my gpg.conf or whatever:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf"

This would act the same as if the server has passed us:

Content-Disposition: attachment; filename="gpg.conf"

But if the header later contains garbage the parsing is stopped and that 
special handling of the filename parameter is not done. So this header would return the filename including the path:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf"; foo="bar; foo="baz"

Usually this will not cause immediate damage. E.g. in Konqueror this could only trick the save dialog to open in the given directory and show the given filename, but still ask the user for confirmation.

Reproducible: Always

Steps to Reproduce:
Put that line into a HTTP header and check what the parser returns. Or use the testcases that will be added by the fix on the unpatched version.


Expected Results:  
 

This was already reported to security@kde.org and it was agreed that this is only minor issue. The fix is ready and will be committed together with a unit test to verify this shortly to the branches from 4.4 to master.
Comment 1 Rolf Eike Beer 2011-07-27 21:26:00 UTC
Git commit 54e8eded22c4af61f609b6184cc0293df407a2f9 by Rolf Eike Beer.
Committed on 16/07/2011 at 16:19.
Pushed by dakon into branch 'master'.

fix filename security check being omitted on parse error in HTTP header

A header like this:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf";
  foo="bar; foo="baz"

would not have the path from the filename stripped because of the later parse
error.

This adds a unit test for this and some other cornercases.

CCBUG:278643

M  +11   -3    kioslave/http/parsinghelpers.cpp
M  +14   -0    kioslave/http/tests/httpheaderdispositiontest.cpp

http://commits.kde.org/kdelibs/54e8eded22c4af61f609b6184cc0293df407a2f9
Comment 2 Rolf Eike Beer 2011-07-27 21:58:12 UTC
Git commit 4077bd26cc54f14d048c6ae90e2a14f2e43c68d2 by Rolf Eike Beer.
Committed on 16/07/2011 at 16:19.
Pushed by dakon into branch 'KDE/4.7'.

fix filename security check being omitted on parse error in HTTP header

A header like this:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf";
  foo="bar; foo="baz"

would not have the path from the filename stripped because of the later parse
error.

This adds a unit test for this and some other cornercases.

CCBUG:278643
FIXED-IN:4.7.1

backport of 54e8eded22c4af61f609b6184cc0293df407a2f9

M  +11   -3    kioslave/http/parsinghelpers.cpp
M  +14   -0    kioslave/tests/httpheaderdispositiontest.cpp

http://commits.kde.org/kdelibs/4077bd26cc54f14d048c6ae90e2a14f2e43c68d2
Comment 3 Rolf Eike Beer 2011-07-27 22:17:44 UTC
Git commit edb0799c352af02f04e6f50b85412b4118cc86ac by Rolf Eike Beer.
Committed on 28/07/2011 at 00:06.
Pushed by dakon into branch 'KDE/4.6'.

fix filename security check being omitted on parse error in HTTP header

A header like this:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf";
  foo="bar; foo="baz"

would not have the path from the filename stripped because of the later parse
error.

This adds a unit test for this and some other cornercases.

CCBUG:278643

backport of 54e8eded22c4af61f609b6184cc0293df407a2f9

M  +11   -3    kioslave/http/parsinghelpers.cpp
M  +11   -0    kioslave/tests/httpheaderdispositiontest.cpp

http://commits.kde.org/kdelibs/edb0799c352af02f04e6f50b85412b4118cc86ac
Comment 4 Rolf Eike Beer 2011-07-28 20:13:25 UTC
Git commit 367ce8a60024aaf92bb673869ae20efdc35f43a5 by Rolf Eike Beer.
Committed on 28/07/2011 at 22:11.
Pushed by dakon into branch 'KDE/4.5'.

fix filename security check being omitted on parse error in HTTP header

A header like this:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf";
  foo="bar; foo="baz"

would not have the path from the filename stripped because of the later parse
error.

This adds a unit test for this and some other cornercases.

CCBUG:278643

backport of 54e8eded22c4af61f609b6184cc0293df407a2f9

M  +9    -1    kioslave/http/parsinghelpers.cpp
M  +9    -1    kioslave/tests/httpheaderdispositiontest.cpp

http://commits.kde.org/kdelibs/367ce8a60024aaf92bb673869ae20efdc35f43a5
Comment 5 Rolf Eike Beer 2011-07-28 20:31:35 UTC
Git commit a51e9a15afd984d92f3b095d3d05e7028701923d by Rolf Eike Beer.
Committed on 28/07/2011 at 22:11.
Pushed by dakon into branch 'KDE/4.4'.

fix filename security check being omitted on parse error in HTTP header

A header like this:

Content-Disposition: attachment; filename="/home/eike/.gnupg/gpg.conf";
  foo="bar; foo="baz"

would not have the path from the filename stripped because of the later parse
error.

This adds a unit test for this and some other cornercases.

BUG:278643

backport of 54e8eded22c4af61f609b6184cc0293df407a2f9

M  +9    -1    kioslave/http/parsinghelpers.cpp
M  +9    -1    kioslave/tests/httpheaderdispositiontest.cpp

http://commits.kde.org/kdelibs/a51e9a15afd984d92f3b095d3d05e7028701923d