Ensuring that generated Content-Type headers properly escape params.

2023-03-27 23:18:01 -04:00 · 2013-01-28 17:30:03 -08:00 · 2013-01-28 17:30:03 -08:00 · 7721545ff2
commit 7721545ff2
parent 43de6d2d8a
2 changed files with 27 additions and 1 deletions
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@ -275,7 +275,10 @@ module Sinatra
      params.delete :charset if mime_type.include? 'charset'
      unless params.empty?
        mime_type << (mime_type.include?(';') ? ', ' : ';')
-        mime_type << params.map { |kv| kv.join('=') }.join(', ')
+        mime_type << params.map do |key, val|
+          val = val.inspect if val =~ /[";,]/
+          "#{key}=#{val}"
+        end.join(', ')
      end
      response['Content-Type'] = mime_type
    end
--- a/test/helpers_test.rb
+++ b/test/helpers_test.rb
@ -586,6 +586,29 @@ class HelpersTest < Test::Unit::TestCase
      get '/'
      assert_equal 'text/plain;charset=utf-16', response['Content-Type']
    end
+
+    it 'properly encodes parameters with delimiter characters' do
+      mock_app do
+        before '/comma' do
+          content_type 'image/png', :comment => 'Hello, world!'
+        end
+        before '/semicolon' do
+          content_type 'image/png', :comment => 'semi;colon'
+        end
+        before '/quote' do
+          content_type 'image/png', :comment => '"Whatever."'
+        end
+
+        get('*') { 'ok' }
+      end
+
+      get '/comma'
+      assert_equal 'image/png;comment="Hello, world!"', response['Content-Type']
+      get '/semicolon'
+      assert_equal 'image/png;comment="semi;colon"', response['Content-Type']
+      get '/quote'
+      assert_equal 'image/png;comment="\"Whatever.\""', response['Content-Type']
+    end
  end

  describe 'attachment' do