Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Sanitize download filenames using Unicode categories #3083

Open
ianb opened this issue Jul 3, 2017 · 0 comments
Open

Sanitize download filenames using Unicode categories #3083

ianb opened this issue Jul 3, 2017 · 0 comments
Labels
code Code quality issue, that does not have any outward effect on the product firefox Something that has to ship in the add-on in Firefox
Milestone
Stretch

Comments

@ianb
Copy link
Contributor

ianb commented Jul 3, 2017

I'm struggling to figure out how to sanitize download filenames properly. Right now we filter out certain characters, which seems unsafe. But if we only allow [a-zA-Z0-9] then we end up with nothing for, say, Cyrillic languages.

Unicode has a notion of categories and we would want the letter and number categories. This library has a list of appropriate categories, and maybe we'd just want to copy those regexes into our code). We'd want the union of Ll, Lt, Lm, Lo, and Nd.
ianb added a commit that referenced this issue Jul 3, 2017
@ianb
Fix #2981, sanitize download filename more fully
9609864 
This adds : (important on Windows), \, <, and > to the blacklist.
Followup in #3083
@ianb ianb mentioned this issue Jul 3, 2017
Merged
@ghost ghost added this to the Stretch milestone Jul 6, 2017
jaredhirsch pushed a commit that referenced this issue Jul 10, 2017
@ianb @jaredhirsch
Fix #2981, sanitize download filename more fully (#3084)
84d28c3 
This adds : (important on Windows), \, <, and > to the blacklist.
Followup in #3083
ianb added a commit that referenced this issue Jul 10, 2017
@ianb
Fix #2981, sanitize download filename more fully
af32978 
This adds : (important on Windows), \, <, and > to the blacklist.
Followup in #3083
jaredhirsch pushed a commit that referenced this issue Jul 24, 2017
@ianb @jaredhirsch
Merge v10 (#3191)
28df958 
* add cloud icon

* Fix #2981, sanitize download filename more fully
This adds : (important on Windows), \, <, and > to the blacklist.
Followup in #3083

* add context fill icons

* Change version to 10.4.0 with changelog

* Fix Bug 1373614, stop the embedded WebExtension unconditionally
In test conditions, when the browser is started and stopped very quickly, sometimes we didn't shut down the WebExtension because it hadn't fully started.
r=kmag (in https://bugzilla.mozilla.org/show_bug.cgi?id=1373614)

* Fix #3120, disable Screenshots in private windows

* Update version to 10.5.0 with changelog

* Iframe tests (#3134)

* Validate iframe URLs
Remove unneeded iframe onload handlers

* Put temporary clipboard TEXTAREA in an iframe
With iframe URL validation

* Update version to 10.6.0 with changelog

* Update addon export branch to 10.7.0 (#3143)

* set dimensions for icon and add to startup (#3136)

* Address 10.6 review comments (bug 1381132)

* Update version to 10.7.0 with changelog

* Element fix (#3157)

* Do not re-wrap onResize when adding and removing the listener
This caused the removeEventListener to silently fail, as the wrapped functions did not match (by identity)
Fixes #3153

* Suppress error popups for all errors in resize handlers
Errors still go to Sentry

* Fix #3135, update privacy notice URL

* Fix #3135, update privacy notice URL (#3158)

* Update version to 10.8.0 with changelog
jaredhirsch pushed a commit that referenced this issue Aug 4, 2017
@ianb @jaredhirsch
Merge v10.10 (#3278)
9b7e226 
* add cloud icon

* Fix #2981, sanitize download filename more fully
This adds : (important on Windows), \, <, and > to the blacklist.
Followup in #3083

* add context fill icons

* Change version to 10.4.0 with changelog

* Fix Bug 1373614, stop the embedded WebExtension unconditionally
In test conditions, when the browser is started and stopped very quickly, sometimes we didn't shut down the WebExtension because it hadn't fully started.
r=kmag (in https://bugzilla.mozilla.org/show_bug.cgi?id=1373614)

* Fix #3120, disable Screenshots in private windows

* Update version to 10.5.0 with changelog

* Iframe tests (#3134)

* Validate iframe URLs
Remove unneeded iframe onload handlers

* Put temporary clipboard TEXTAREA in an iframe
With iframe URL validation

* Update version to 10.6.0 with changelog

* Update addon export branch to 10.7.0 (#3143)

* set dimensions for icon and add to startup (#3136)

* Address 10.6 review comments (bug 1381132)

* Update version to 10.7.0 with changelog

* Element fix (#3157)

* Do not re-wrap onResize when adding and removing the listener
This caused the removeEventListener to silently fail, as the wrapped functions did not match (by identity)
Fixes #3153

* Suppress error popups for all errors in resize handlers
Errors still go to Sentry

* Fix #3135, update privacy notice URL (#3158)

* Update version to 10.8.0 with changelog

* Remove full-page & visible buttons and remove from onboarding

* Update version to 10.9.0 with changelog

* Don't localize removed buttons

* Tweak button container CSS

* Synchronize startup code more carefully; hopefully fixes #3257

* Update version to 10.10.0 with changelog

* Revert "Remove full-page & visible buttons and remove from onboarding"

This reverts commit 07a27a8.
@ianb ianb mentioned this issue Oct 2, 2017
Merged
@ianb ianb added code Code quality issue, that does not have any outward effect on the product firefox Something that has to ship in the add-on in Firefox labels Jan 10, 2018
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
code Code quality issue, that does not have any outward effect on the product firefox Something that has to ship in the add-on in Firefox
Projects
None yet
Milestone
Stretch
Development

No branches or pull requests
1 participant
@ianb