From 02d75deaa00ccb40915a840608d1dc29926a5194 Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane@kilkelly.me>
Date: Wed, 12 Apr 2017 09:31:59 +0100
Subject: [PATCH] when setting content-disposition, uri-encode names

---
 .../web/app/coffee/Features/Compile/CompileController.coffee  | 4 +++-
 .../app/coffee/Features/FileStore/FileStoreController.coffee  | 2 +-
 .../UnitTests/coffee/Compile/CompileControllerTests.coffee    | 2 +-
 .../coffee/FileStore/FileStoreControllerTests.coffee          | 4 +++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/services/web/app/coffee/Features/Compile/CompileController.coffee b/services/web/app/coffee/Features/Compile/CompileController.coffee
index 27ee604ba5..5eb67540e4 100755
--- a/services/web/app/coffee/Features/Compile/CompileController.coffee
+++ b/services/web/app/coffee/Features/Compile/CompileController.coffee
@@ -85,7 +85,9 @@ module.exports = CompileController =
 			res.contentType("application/pdf")
 			if !!req.query.popupDownload
 				logger.log project_id: project_id, "download pdf as popup download"
-				res.header('Content-Disposition', "attachment; filename=#{project.getSafeProjectName()}.pdf")
+				res.header(
+					'Content-Disposition', "attachment; filename=#{encodeURIComponent(project.getSafeProjectName())}.pdf"
+				)
 			else
 				logger.log project_id: project_id, "download pdf to embed in browser"
 				res.header('Content-Disposition', "filename=#{project.getSafeProjectName()}.pdf")
diff --git a/services/web/app/coffee/Features/FileStore/FileStoreController.coffee b/services/web/app/coffee/Features/FileStore/FileStoreController.coffee
index c36ce22151..9fe80b9108 100644
--- a/services/web/app/coffee/Features/FileStore/FileStoreController.coffee
+++ b/services/web/app/coffee/Features/FileStore/FileStoreController.coffee
@@ -35,5 +35,5 @@ module.exports =
 				if (is_mobile_safari(user_agent) and is_html(file))
 					logger.log filename: file.name, user_agent: user_agent, "sending html file to mobile-safari as plain text"
 					res.setHeader('Content-Type', 'text/plain')
-				res.setHeader("Content-Disposition", "attachment; filename=#{file.name}")
+				res.setHeader("Content-Disposition", "attachment; filename=#{encodeURIComponent(file.name)}")
 				stream.pipe res
diff --git a/services/web/test/UnitTests/coffee/Compile/CompileControllerTests.coffee b/services/web/test/UnitTests/coffee/Compile/CompileControllerTests.coffee
index 53c713ac42..33270ec1c7 100644
--- a/services/web/test/UnitTests/coffee/Compile/CompileControllerTests.coffee
+++ b/services/web/test/UnitTests/coffee/Compile/CompileControllerTests.coffee
@@ -137,7 +137,7 @@ describe "CompileController", ->
 
 			it "should set the content-disposition header with the project name", ->
 				@res.header
-					.calledWith("Content-Disposition", "filename=#{@safe_name}.pdf")
+					.calledWith("Content-Disposition", "filename=#{encodeURIComponent(@safe_name)}.pdf")
 					.should.equal true
 
 			it "should increment the pdf-downloads metric", ->
diff --git a/services/web/test/UnitTests/coffee/FileStore/FileStoreControllerTests.coffee b/services/web/test/UnitTests/coffee/FileStore/FileStoreControllerTests.coffee
index fd83f73379..0bf16b491b 100644
--- a/services/web/test/UnitTests/coffee/FileStore/FileStoreControllerTests.coffee
+++ b/services/web/test/UnitTests/coffee/FileStore/FileStoreControllerTests.coffee
@@ -62,7 +62,9 @@ describe "FileStoreController", ->
 
 		it "should set the Content-Disposition header", (done)->
 			@stream.pipe = (des)=>
-				@res.setHeader.calledWith("Content-Disposition", "attachment; filename=#{@file.name}").should.equal true
+				@res.setHeader.calledWith(
+					"Content-Disposition", "attachment; filename=#{encodeURIComponent(@file.name)}"
+				).should.equal true
 				done()
 			@controller.getFile @req, @res