Here's a test: upload two files with the same name (say "test.zip"). Drupal will rename second "test.zip" file into "test_0.zip". When downloading the second file, Drupal will take care of URI vs. final name (it stores the "uploaded" name in {file_managed} table 'filename' column).

Enable File Force, and the second file will be downloaded as "test_0.zip".

The culprit is the 'Content-Disposition' => $disposition . '; filename="' . basename($uri) . '"', line in file_force_file_download() which takes uri basename to name the downloaded file.

Comments

iva2k’s picture

iva2k commented

I think the fix in #5 of #1834360: Security issue: Private files are allowed to download via download link, an attacker who knows the url can get any private file can be extended to find out the correct filename without trying to dig out which module's that file is... $headers will have 'Content-Disposition' element, we need simply extract filename=... from it.

I am not planning to roll a patch for this until #1834360: Security issue: Private files are allowed to download via download link, an attacker who knows the url can get any private file is committed.

arski’s picture

arski commented
Status: Active » Fixed

Fixed in #1834360: Security issue: Private files are allowed to download via download link, an attacker who knows the url can get any private file - cheers

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.