Sanitize output filename.

author Steinar H. Gunderson <sesse@samfundet.no>

Sun, 7 Aug 2005 12:46:46 +0000 (12:46 +0000)

committer Steinar H. Gunderson <sesse@samfundet.no>

Sun, 7 Aug 2005 12:46:46 +0000 (12:46 +0000)
author Steinar H. Gunderson <sesse@samfundet.no>
Sun, 7 Aug 2005 12:46:46 +0000 (12:46 +0000)
committer Steinar H. Gunderson <sesse@samfundet.no>
Sun, 7 Aug 2005 12:46:46 +0000 (12:46 +0000)
diff --git a/createpdf.pl b/createpdf.pl

index 86187fba167590e27420cb3930d6e115c28451ea..34cd9f425ccddc682e2bd77c904a8d1deb884f27 100755 (executable)
--- a/createpdf.pl
+++ b/createpdf.pl
@@ -139,8 +139,10 @@ EOF
  
  my $size = -s "output/$pdf_filename";
  
+(my $sanitized_outname = $outname) =~ tr/a-zA-Z0-9. -/_/c;
+
  print "Content-type: application/pdf\n";
-print "Content-disposition: attachment; filename=\"$outname\"\n";  # FIXME: XSS problems?
+print "Content-disposition: attachment; filename=\"$sanitized_outname\"\n";
  print "Content-length: $size\n\n";
  
  system("cat output/$pdf_filename");  # yuck?
author	Steinar H. Gunderson <sesse@samfundet.no>
	Sun, 7 Aug 2005 12:46:46 +0000 (12:46 +0000)
committer	Steinar H. Gunderson <sesse@samfundet.no>
	Sun, 7 Aug 2005 12:46:46 +0000 (12:46 +0000)