gitweb: Quote filename in HTTP Content-Disposition: header

Finish work started by commit a2f3db2 (although not documented
in commit message) of quoting using quotemeta the filename in
HTTP -content_disposition header.

Just in case filename contains end of line character.

Also use consistent coding style to compute -content_disposition
parameter.

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <junkio@cox.net>

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 093ee604f495cbb91f5a543c8ffb4ab95ef209ae..9349fa1cb382b7d742a01bddf9045c5f13e3d297 100755 (executable)
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2320,7 +2320,7 @@ sub git_project_index {
        print $cgi->header(
                -type => 'text/plain',
                -charset => 'utf-8',
-               -content_disposition => qq(inline; filename="index.aux"));
+               -content_disposition => 'inline; filename="index.aux"');
 
        foreach my $pr (@projects) {
                if (!exists $pr->{'owner'}) {
@@ -2682,7 +2682,7 @@ sub git_blob_plain {
        print $cgi->header(
                -type => "$type",
                -expires=>$expires,
-               -content_disposition => "inline; filename=\"$save_as\"");
+               -content_disposition => 'inline; filename="' . quotemeta($save_as) . '"');
        undef $/;
        binmode STDOUT, ':raw';
        print <$fd>;
@@ -2856,10 +2856,11 @@ sub git_snapshot {
 
        my $filename = basename($project) . "-$hash.tar.$suffix";
 
-       print $cgi->header(-type => 'application/x-tar',
-                          -content_encoding => $ctype,
-                          -content_disposition => "inline; filename=\"$filename\"",
-                          -status => '200 OK');
+       print $cgi->header(
+               -type => 'application/x-tar',
+               -content_encoding => $ctype,
+               -content_disposition => 'inline; filename="' . quotemeta($filename) . '"',
+               -status => '200 OK');
 
        my $git_command = git_cmd_str();
        open my $fd, "-|", "$git_command tar-tree $hash \'$project\' | $command" or
@@ -3169,7 +3170,7 @@ sub git_blobdiff {
                        -type => 'text/plain',
                        -charset => 'utf-8',
                        -expires => $expires,
-                       -content_disposition => qq(inline; filename=") . quotemeta($file_name) . qq(.patch"));
+                       -content_disposition => 'inline; filename="' . quotemeta($file_name) . '.patch"');
 
                print "X-Git-Url: " . $cgi->self_url() . "\n\n";
 
@@ -3272,7 +3273,7 @@ sub git_commitdiff {
                        -type => 'text/plain',
                        -charset => 'utf-8',
                        -expires => $expires,
-                       -content_disposition => qq(inline; filename="$filename"));
+                       -content_disposition => 'inline; filename="' . quotemeta($filename) . '"');
                my %ad = parse_date($co{'author_epoch'}, $co{'author_tz'});
                print <<TEXT;
 From: $co{'author'}