From: Steinar H. Gunderson <sesse@samfundet.no>
Date: Sun, 7 Aug 2005 12:46:46 +0000 (+0000)
Subject: Sanitize output filename.
X-Git-Url: https://git.sesse.net/?p=webpdf;a=commitdiff_plain;h=54684462f793d5b2e76052ab3ff5246972bdc204

Sanitize output filename.
---

diff --git a/createpdf.pl b/createpdf.pl
index 86187fb..34cd9f4 100755
--- a/createpdf.pl
+++ b/createpdf.pl
@@ -139,8 +139,10 @@ EOF
 
 my $size = -s "output/$pdf_filename";
 
+(my $sanitized_outname = $outname) =~ tr/a-zA-Z0-9. -/_/c;
+
 print "Content-type: application/pdf\n";
-print "Content-disposition: attachment; filename=\"$outname\"\n";  # FIXME: XSS problems?
+print "Content-disposition: attachment; filename=\"$sanitized_outname\"\n";
 print "Content-length: $size\n\n";
 
 system("cat output/$pdf_filename");  # yuck?