[wp-trac] [WordPress Trac] #38231: Allow download_url to respect content-disposition header
WordPress Trac
noreply at wordpress.org
Tue Oct 26 21:16:44 UTC 2021
#38231: Allow download_url to respect content-disposition header
--------------------------------------+------------------------------
Reporter: cklosows | Owner: johnjamesjacoby
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.9
Component: HTTP API | Version: 4.7
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+------------------------------
Comment (by johnjamesjacoby):
[https://core.trac.wordpress.org/attachment/ticket/38231/38231.7.diff
38231.7.diff] includes the following iterations:
* Abandons
`WP_REST_Attachments_Controller::get_filename_from_disposition()`
approach. @costdev and I collaborated privately for a few full days, and
concluded that it does not fully sanitize a filename from an untrusted
source in the many ways that `download_url()` can be used.
* Looks for `'attachment; filename='` instead of `filename=`. Per the
[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-
Disposition specification], the `Content-Disposition` header only triggers
save-as dialogs when the `attachment;` "type" is sent with it. (The
`inline;` type would be displayed as a web page instead of being
downloaded anyways. The type is a required parameter.)
* Uses `sanitize_file_name()` to ensure that the suggested `filename`
value is as close to acceptable for the web server and WordPress rules as
possible. The nice thing about this is that values with a period in them
will automatically be checked against `wp_get_mime_types()` using
`wp_check_filetype()`. The value in doing this here (early) is that the
temporary file name can still be used if the suggestion happens to be
illegal.
* Uses `validate_file()` to avoid directory traversal. This adequately
prevents the `filename` value from including relative file paths and
writing to unintended locations in the file system.
* Includes 6 separate tests with 9 total assertions. These tests confirm
that valid file name values are correctly saved, and invalid file name
values are correctly rejected.
Massive props again to @costdev for going the extra mile with me behind
the scenes on this. 🙏
Barring anything we've missed, this patch is ready to be committed.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38231#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list