why is a forward slash converted to a hyphen / dash

Question

I know that we should replace forwards slashes and for example explode the path and use the last element of the array as filename.

But why is the fordward slash converted to a hyphen / dash when using

header('Content-Disposition: attachment; filename="'.$local_file.'"'); 

when $local_file is something like /file

the downloaded file has the filename -file

Is this behaviour described somewhere?

The rfc paper does not mention this, or does it? http://www.faqs.org/rfcs/rfc2183.html

Answer 1

This is client specific. Most browsers would just drop any path/ prefixes. But transcoding forward slashes would be just as sound.

It's alluded to in RFC2616, http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html, section 19.5.1

The receiving user agent SHOULD NOT respect any directory path information present in the filename-parm parameter, which is the only parameter believed to apply to HTTP implementations at this time. The filename SHOULD be treated as a terminal component only.
_{Network Working Group, R. Fielding et al, (c) The Internet Society (1999)}

The rationale of course is, that HTTP payloads should not be extracted to any predefined path for security reasons.