From d4295fa050c9b56422de0966ece50f0c0a042891 Mon Sep 17 00:00:00 2001
From: Giedrius Slavinskas <giedrius@inovera.lt>
Date: Tue, 30 Oct 2012 13:51:13 +0200
Subject: [PATCH 1/2] [FIX] escape returned report filename

lp bug: https://launchpad.net/bugs/1072803 fixed

bzr revid: giedrius@inovera.lt-20121030115113-1aooabkpzwy62wnq
---
 addons/web/controllers/main.py | 33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py
index 72ffd9567f6..26ab732118f 100644
--- a/addons/web/controllers/main.py
+++ b/addons/web/controllers/main.py
@@ -575,6 +575,20 @@ def from_elementtree(el, preserve_whitespaces=False):
     res["children"] = kids
     return res
 
+
+def content_disposition(filename, req):
+    filename = filename.encode('utf8')
+    escaped = urllib2.quote(filename)
+    browser = req.httprequest.user_agent.browser
+    version = int((req.httprequest.user_agent.version or '0').split('.')[0])
+    if browser == 'msie' and version < 9:
+        return "attachment; filename=%s" % escaped
+    elif browser == 'safari':
+        return "attachment; filename=%s" % filename
+    else:
+        return "attachment; filename*=UTF-8''%s" % escaped
+
+
 #----------------------------------------------------------
 # OpenERP Web web Controllers
 #----------------------------------------------------------
@@ -1520,17 +1534,6 @@ class Binary(openerpweb.Controller):
     def placeholder(self, req):
         addons_path = openerpweb.addons_manifest['web']['addons_path']
         return open(os.path.join(addons_path, 'web', 'static', 'src', 'img', 'placeholder.png'), 'rb').read()
-    def content_disposition(self, filename, req):
-        filename = filename.encode('utf8')
-        escaped = urllib2.quote(filename)
-        browser = req.httprequest.user_agent.browser
-        version = int((req.httprequest.user_agent.version or '0').split('.')[0])
-        if browser == 'msie' and version < 9:
-            return "attachment; filename=%s" % escaped
-        elif browser == 'safari':
-            return "attachment; filename=%s" % filename
-        else:
-            return "attachment; filename*=UTF-8''%s" % escaped
 
     @openerpweb.httprequest
     def saveas(self, req, model, field, id=None, filename_field=None, **kw):
@@ -1566,7 +1569,7 @@ class Binary(openerpweb.Controller):
                 filename = res.get(filename_field, '') or filename
             return req.make_response(filecontent,
                 [('Content-Type', 'application/octet-stream'),
-                 ('Content-Disposition', self.content_disposition(filename, req))])
+                 ('Content-Disposition', content_disposition(filename, req))])
 
     @openerpweb.httprequest
     def saveas_ajax(self, req, data, token):
@@ -1596,7 +1599,7 @@ class Binary(openerpweb.Controller):
                 filename = res.get(filename_field, '') or filename
             return req.make_response(filecontent,
                 headers=[('Content-Type', 'application/octet-stream'),
-                        ('Content-Disposition', self.content_disposition(filename, req))],
+                        ('Content-Disposition', content_disposition(filename, req))],
                 cookies={'fileToken': int(token)})
 
     @openerpweb.httprequest
@@ -1997,11 +2000,11 @@ class Reports(View):
                 file_name = reports.read(res_id[0], ['name'], context)['name']
             else:
                 file_name = action['report_name']
+        file_name = '%s.%s' % (file_name, report_struct['format'])
 
         return req.make_response(report,
              headers=[
-                 # maybe we should take of what characters can appear in a file name?
-                 ('Content-Disposition', 'attachment; filename="%s.%s"' % (file_name, report_struct['format'])),
+                 ('Content-Disposition', content_disposition(file_name, req)),
                  ('Content-Type', report_mimetype),
                  ('Content-Length', len(report))],
              cookies={'fileToken': int(token)})

From 70cbf251f127998420c0ff18af51477d09fc95d2 Mon Sep 17 00:00:00 2001
From: Giedrius Slavinskas <giedrius@inovera.lt>
Date: Wed, 31 Oct 2012 17:53:10 +0200
Subject: [PATCH 2/2] [FIX] escape returned database backup and exported data
 filenames

bzr revid: giedrius@inovera.lt-20121031155310-htyh0qdvsxudnm59
---
 addons/web/controllers/main.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py
index 26ab732118f..ad8d91ed1dd 100644
--- a/addons/web/controllers/main.py
+++ b/addons/web/controllers/main.py
@@ -855,7 +855,7 @@ class Database(openerpweb.Controller):
             }
             return req.make_response(db_dump,
                [('Content-Type', 'application/octet-stream; charset=binary'),
-               ('Content-Disposition', 'attachment; filename="' + filename + '"')],
+               ('Content-Disposition', content_disposition(filename, req))],
                {'fileToken': int(token)}
             )
         except xmlrpclib.Fault, e:
@@ -1864,7 +1864,8 @@ class Export(View):
 
 
         return req.make_response(self.from_data(columns_headers, import_data),
-            headers=[('Content-Disposition', 'attachment; filename="%s"' % self.filename(model)),
+            headers=[('Content-Disposition',
+                            content_disposition(self.filename(model), req)),
                      ('Content-Type', self.content_type)],
             cookies={'fileToken': int(token)})