From cc4a8e53df40c4d91b095883ec08cb6ad8bac599 Mon Sep 17 00:00:00 2001
From: Florian Bruhin <git@the-compiler.org>
Date: Fri, 13 Jan 2017 18:04:04 +0100
Subject: [PATCH] Prevent using %2F as slash in a Content-Disposition header

---
 qutebrowser/browser/webengine/webenginedownloads.py     | 3 +++
 tests/end2end/features/downloads.feature                | 8 ++++++++
 tests/unit/browser/webengine/test_webenginedownloads.py | 1 +
 3 files changed, 12 insertions(+)

diff --git a/qutebrowser/browser/webengine/webenginedownloads.py b/qutebrowser/browser/webengine/webenginedownloads.py
index 44b326d36..2baf27541 100644
--- a/qutebrowser/browser/webengine/webenginedownloads.py
+++ b/qutebrowser/browser/webengine/webenginedownloads.py
@@ -137,7 +137,10 @@ def _get_suggested_filename(path):
     """
     filename = os.path.basename(path)
     filename = re.sub(r'\([0-9]+\)$', '', filename)
+    # https://bugreports.qt.io/browse/QTBUG-58155
     filename = urllib.parse.unquote(filename)
+    # Doing basename a *second* time because there could be a %2F in there...
+    filename = os.path.basename(filename)
     return filename
 
 
diff --git a/tests/end2end/features/downloads.feature b/tests/end2end/features/downloads.feature
index 0cab862b5..44775e39a 100644
--- a/tests/end2end/features/downloads.feature
+++ b/tests/end2end/features/downloads.feature
@@ -118,6 +118,14 @@ Feature: Downloading things from a website.
         And I wait until the download is finished
         Then the downloaded file download with spaces.bin should exist
 
+    @qtwebkit_skip
+    Scenario: Downloading a file with evil content-disposition header
+        # Content-Disposition: download; filename=..%2Ffoo
+        When I open response-headers?Content-Disposition=download;%20filename%3D..%252Ffoo without waiting
+        And I wait until the download is finished
+        Then the downloaded file ../foo should not exist
+        And the downloaded file foo should exist
+
     ## :download-retry
 
     Scenario: Retrying a failed download
diff --git a/tests/unit/browser/webengine/test_webenginedownloads.py b/tests/unit/browser/webengine/test_webenginedownloads.py
index afd6e85a2..ee5b8e22a 100644
--- a/tests/unit/browser/webengine/test_webenginedownloads.py
+++ b/tests/unit/browser/webengine/test_webenginedownloads.py
@@ -32,6 +32,7 @@ from qutebrowser.browser.webengine import webenginedownloads
     ('foo(a)', 'foo(a)'),
     ('foo1', 'foo1'),
     ('foo%20bar', 'foo bar'),
+    ('foo%2Fbar', 'bar'),
 ])
 def test_get_suggested_filename(path, expected):
     assert webenginedownloads._get_suggested_filename(path) == expected