Prevent using %2F as slash in a Content-Disposition header

qutebrowser/browser/webengine/webenginedownloads.py

@@ -137,7 +137,10 @@ def _get_suggested_filename(path):
     """
     filename = os.path.basename(path)
     filename = re.sub(r'\([0-9]+\)$', '', filename)
+    # https://bugreports.qt.io/browse/QTBUG-58155
     filename = urllib.parse.unquote(filename)
+    # Doing basename a *second* time because there could be a %2F in there...
+    filename = os.path.basename(filename)
     return filename
 
 

tests/end2end/features/downloads.feature

@@ -118,6 +118,14 @@ Feature: Downloading things from a website.
         And I wait until the download is finished
         Then the downloaded file download with spaces.bin should exist
 
+    @qtwebkit_skip
+    Scenario: Downloading a file with evil content-disposition header
+        # Content-Disposition: download; filename=..%2Ffoo
+        When I open response-headers?Content-Disposition=download;%20filename%3D..%252Ffoo without waiting
+        And I wait until the download is finished
+        Then the downloaded file ../foo should not exist
+        And the downloaded file foo should exist
+
     ## :download-retry
 
     Scenario: Retrying a failed download

tests/unit/browser/webengine/test_webenginedownloads.py

@@ -32,6 +32,7 @@ from qutebrowser.browser.webengine import webenginedownloads
     ('foo(a)', 'foo(a)'),
     ('foo1', 'foo1'),
     ('foo%20bar', 'foo bar'),
+    ('foo%2Fbar', 'bar'),
 ])
 def test_get_suggested_filename(path, expected):
     assert webenginedownloads._get_suggested_filename(path) == expected