[H-1] Missing CRLF sanitization in launchEmulator Content-Disposition

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/FileController.php:387

Bug: basename() without stripping CR/LF/quote/backslash allows header injection via crafted original_name.

Fix: Apply the same str_replace guard that download() already uses.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:30pm

Resolved.

FileController::launchEmulator now strips \r, \n, ", \, /, \0 from original_name before interpolating into Content-Disposition (src/Controllers/FileController.php:387). Matches the guard already used in download().

Locking this thread.

Related Discussions

[H-19] CURATOR_ID = 123 hard-coded — FK violation if user missing
Security Issues · 0 replies · 0 views
Missing manuals: post what you are hunting for
Manuals & Documentation · 0 replies · 1 views
Printing missing knobs, feet, and trim
Cosmetic Restoration Prints · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy