I am currently working on a WCF service that returns a file based on a HTTP GET request. The main concept of the service goes like this:
public Stream MyGetMethod()
{
// Fetch the file
byte[] myFile = FetchMyFile();
// Set the name of the file using Content-Disposition
WebOperationContext.Current.OutgoingResponse
.Headers.Add("Content-Disposition", "attachment; filename=MyFile");
// Return the file
return new MemoryStream(myFile);
}
I use the Content-Disposition header to tell the browser that it should name the file MyFile and that it should show a SaveAs dialog (the attachment part).
While this works, I have been reading some bad things about Content-Disposition.
RFC2616 states:
RFC 1806 [35], from which the often implemented Content-Disposition (see section 19.5.1) header in HTTP is derived, has a number of very serious security considerations. Content-Disposition is not part of the HTTP standard, but since it is widely implemented, we are documenting its use and risks for implementors. See RFC 2183 [49] (which updates RFC 1806) for details.
And from RFC2183 I get:
Since this memo provides a way for the sender to suggest a filename,
a receiving MUA must take care that the sender's suggested filename
does not represent a hazard. Using UNIX as an example, some hazards
would be:
- Creating startup files (e.g., ".login").
- Creating or overwriting system files (e.g., "/etc/passwd").
- Overwriting any existing file.
- Placing executable files into any command search path (e.g., "~/bin/more").
Sending the file to a pipe (e.g., "| sh").
In general, the receiving MUA should not name or place the file such that it will get interpreted or executed without the user explicitly initiating the action.
I see there are some serious security aspects in this, but I am not quite sure if this should stop me from using it, like in the WCF service above?
As I see it, I think it should be alright since all the major browsers understand the header, and while the code in the snippet above is that simple, I cannot see how that can ever be a security threat? Please correct me if I'm wrong.
Thanks.
Its safe to use
Content-Disposition, for additional safety, don't allow user to give file-names, or do add some random unique name prefix or sufix or file extension yourself.