Junio C Hamano wrote:
> Jakub Narebski <jnareb@xxxxxxxxx> writes:
>
>> But you forget that in HTTP headers, to be more exact in
>> Content-Disposition: inline; filename="<filename>"
>> header, the quote '"' and end-of-line '\n' characters in <filename>
>> are treated specially. So you need to quote somehow at least those
>> two characters.
>
> True, but untrue. This is just a suggestion so we do not _have_
> to quote. We only need to avoid spitting out dq and lf
> literally. We could even just do something like the attached if
> we wanted to:
>
> s/[^ -~]+/?/g ;# replace each sequence of bytes outside
> # ' ' to '~' range to a '?'
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 44991b1..e7202ee 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -2651,7 +2651,7 @@ sub git_blob_plain {
> # save as filename, even when no $file_name is given
> my $save_as = "$hash";
> if (defined $file_name) {
> - $save_as = $file_name;
> + ($save_as = $file_name) =~ s/[^ -~]+/?/g;
> } elsif ($type =~ m/^text\//) {
> $save_as .= '.txt';
> }
I'd rather add (and use) separate subroutine for quoting/escaping
values in HTTP headers, or to be more exact for the filename part
of HTTP header "Content-Disposition:". This way if we decide to
not replace all characters outside US-ASCII in suggested filename
to save with '?', but only qoublequote '"' and linefeed '\n' characters,
or even implement RFC 2047 to do the encoding (of course if browsers
can read it), we could do this in one place.
How such a subroutine should be named? esc_http? esc_header or esc_hdr?
esc_http_header? Any other ideas?
--
Jakub Narebski
Poland
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html