Sanitize filenames before using in Content-Disposition header

export.php

@@ -343,6 +343,7 @@ if (!$save_on_server) {
         // (avoid rewriting data containing HTML with anchors and forms;
         // this was reported to happen under Plesk)
         @ini_set('url_rewriter.tags','');
+        $filename = PMA_sanitize_filename($filename);
 
         header('Content-Type: ' . $mime_type);
         header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');

libraries/sanitizing.lib.php

@@ -86,4 +86,22 @@ function PMA_sanitize($message, $escape = false, $safe = false)
 
     return $message;
 }
+
+
+/**
+ * Sanitize a filename by removing anything besides A-Za-z0-9_.-
+ *
+ * Intended usecase:
+ *    When using a filename in a Content-Disposition header the value should not contain ; or "
+ *
+ * @param   string  The filename
+ *
+ * @return  string  the sanitized filename
+ *
+ */
+function PMA_sanitize_filename($filename) {
+    $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename);
+    return $filename;
+}
+
 ?>

libraries/schema/Dia_Relation_Schema.class.php

@@ -173,6 +173,7 @@ class PMA_DIA extends XMLWriter
          if(ob_get_clean()){
             ob_end_clean();
         }
+        $fileName = PMA_sanitize_filename($fileName);
         header('Content-type: application/x-dia-diagram');
         header('Content-Disposition: attachment; filename="'.$fileName.'.dia"');
         $output = $this->flush();

libraries/schema/Eps_Relation_Schema.class.php

@@ -336,6 +336,7 @@ class PMA_EPS
         // if(ob_get_clean()){
             //ob_end_clean();
         //}
+        $fileName = PMA_sanitize_filename($fileName);
         header('Content-type: image/x-eps');
         header('Content-Disposition: attachment; filename="'.$fileName.'.eps"');
         $output = $this->stringCommands;

libraries/schema/Pdf_Relation_Schema.class.php

@@ -1075,6 +1075,8 @@ class PMA_Pdf_Relation_Schema extends PMA_Export_Relation_Schema
         if (empty($filename)) {
             $filename = $pageNumber . '.pdf';
         }
+        $fileName = PMA_sanitize_filename($fileName);
+
         // instead of $pdf->Output():
         $pdfData = $pdf->getPDFData();
         header('Content-Type: application/pdf');

libraries/schema/Svg_Relation_Schema.class.php

@@ -171,6 +171,7 @@ class PMA_SVG extends XMLWriter
     function showOutput($fileName)
     {
         //ob_get_clean();
+        $fileName = PMA_sanitize_filename($fileName);
         header('Content-type: image/svg+xml');
         header('Content-Disposition: attachment; filename="'.$fileName.'.svg"');
         $output = $this->flush();

libraries/schema/Visio_Relation_Schema.class.php

@@ -158,6 +158,7 @@ class PMA_VISIO extends XMLWriter
          //if(ob_get_clean()){
             //ob_end_clean();
         //}
+        $fileName = PMA_sanitize_filename($fileName);
         header('Content-type: application/visio');
         header('Content-Disposition: attachment; filename="'.$fileName.'.vdx"');
         $output = $this->flush();

tbl_get_field.php

@@ -39,7 +39,8 @@ if ($result === false) {
 
 header('Content-Type: ' . PMA_detectMIME($result));
 header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');
-header('Content-Disposition: attachment; filename="' . $table . '-' .  $transform_key . '.bin"');
+$filename = PMA_sanitize_filename($table . '-' .  $transform_key . '.bin');
+header('Content-Disposition: attachment; filename="' . $filename . '"');
 if (PMA_USR_BROWSER_AGENT == 'IE') {
     header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
     header('Pragma: public');

tbl_tracking.php

@@ -111,7 +111,8 @@ if (isset($_REQUEST['report_export']) && $_REQUEST['export_type'] == 'sqldumpfil
     foreach($entries as $entry) {
         $dump .= $entry['statement'];
     }
-    $filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql';
+    //$filename = 'log_' . str_replace(';', '', htmlspecialchars($_REQUEST['table'])) . '.sql';
+    $filename = PMA_sanitize_filename('log_' . $_REQUEST['table'] . '.sql');
     header('Content-Type: text/x-sql');
     header('Expires: ' . gmdate('D, d M Y H:i:s') . ' GMT');
     header('Content-Disposition: attachment; filename="' . $filename . '"');