gitweb: Quote filename in HTTP Content-Disposition: header

Finish work started by commit a2f3db2 (although not documented
in commit message) of quoting using quotemeta the filename in
HTTP -content_disposition header.

Just in case filename contains end of line character.

Also use consistent coding style to compute -content_disposition
parameter.

Signed-off-by: Jakub Narebski <redacted>
Signed-off-by: Junio C Hamano <redacted>

diff --git a/gitweb.perl b/gitweb.perl
index b75a81ba29c086542556cc1482f110ca0e5a0bd07c4d8080b88642ad2dc20845..4cf43f20fa0ee10daaf47ed42caa38269e3316dfd218159af3d45464aac62218 100755 (executable)
--- a/gitweb.perl
+++ b/gitweb.perl
@@ -2320,7 +2320,7 @@ sub git_project_index {
        print $cgi->header(
                -type => 'text/plain',
                -charset => 'utf-8',
        print $cgi->header(
                -type => 'text/plain',
                -charset => 'utf-8',

-               -content_disposition => qq(inline; filename="index.aux"));
+               -content_disposition => 'inline; filename="index.aux"');

 
        foreach my $pr (@projects) {
                if (!exists $pr->{'owner'}) {
 
        foreach my $pr (@projects) {
                if (!exists $pr->{'owner'}) {


@@ -2682,7 +2682,7 @@ sub git_blob_plain {
        print $cgi->header(
                -type => "$type",
                -expires=>$expires,
        print $cgi->header(
                -type => "$type",
                -expires=>$expires,

-               -content_disposition => "inline; filename=\"$save_as\"");
+               -content_disposition => 'inline; filename="' . quotemeta($save_as) . '"');

        undef $/;
        binmode STDOUT, ':raw';
        print <$fd>;
        undef $/;
        binmode STDOUT, ':raw';
        print <$fd>;


@@ -2856,10 +2856,11 @@ sub git_snapshot {
 
        my $filename = basename($project) . "-$hash.tar.$suffix";
 
 
        my $filename = basename($project) . "-$hash.tar.$suffix";
 

-       print $cgi->header(-type => 'application/x-tar',
-                          -content_encoding => $ctype,
-                          -content_disposition => "inline; filename=\"$filename\"",
-                          -status => '200 OK');
+       print $cgi->header(
+               -type => 'application/x-tar',
+               -content_encoding => $ctype,
+               -content_disposition => 'inline; filename="' . quotemeta($filename) . '"',
+               -status => '200 OK');

 
        my $git_command = git_cmd_str();
        open my $fd, "-|", "$git_command tar-tree $hash \'$project\' | $command" or
 
        my $git_command = git_cmd_str();
        open my $fd, "-|", "$git_command tar-tree $hash \'$project\' | $command" or


@@ -3169,7 +3170,7 @@ sub git_blobdiff {
                        -type => 'text/plain',
                        -charset => 'utf-8',
                        -expires => $expires,
                        -type => 'text/plain',
                        -charset => 'utf-8',
                        -expires => $expires,

-                       -content_disposition => qq(inline; filename=") . quotemeta($file_name) . qq(.patch"));
+                       -content_disposition => 'inline; filename="' . quotemeta($file_name) . '.patch"');

 
                print "X-Git-Url: " . $cgi->self_url() . "\n\n";
 
 
                print "X-Git-Url: " . $cgi->self_url() . "\n\n";
 


@@ -3272,7 +3273,7 @@ sub git_commitdiff {
                        -type => 'text/plain',
                        -charset => 'utf-8',
                        -expires => $expires,
                        -type => 'text/plain',
                        -charset => 'utf-8',
                        -expires => $expires,

-                       -content_disposition => qq(inline; filename="$filename"));
+                       -content_disposition => 'inline; filename="' . quotemeta($filename) . '"');

                my %ad = parse_date($co{'author_epoch'}, $co{'author_tz'});
                print <<TEXT;
 From: $co{'author'}
                my %ad = parse_date($co{'author_epoch'}, $co{'author_tz'});
                print <<TEXT;
 From: $co{'author'}