"The URI specification[1] defines the ability to send parameters in the path portion of
the URI by inserting the semicolon character (before the query portion that starts
with a question mark "?"). Many Web technologies support this feature [a.k.a. "path parameters"].
In simple words, if a web server accepts path parameters it does not really consider
them to be a part of the path, which means we can inject any content, as it will be
ignored. However, when it comes to determine the filename of a download the
vast majority of Web browsers (all browsers but Safari) parse and set a filename
from path parameters."
"The URI specification[1] defines the ability to send parameters in the path portion of the URI by inserting the semicolon character (before the query portion that starts with a question mark "?"). Many Web technologies support this feature [a.k.a. "path parameters"].
In simple words, if a web server accepts path parameters it does not really consider them to be a part of the path, which means we can inject any content, as it will be ignored. However, when it comes to determine the filename of a download the vast majority of Web browsers (all browsers but Safari) parse and set a filename from path parameters."
[1] http://tools.ietf.org/html/rfc3986#section-3.3
A fairly obscure feature of URIs, apparently Correctly handled by some web servers, but apparently overlooked by most browsers. Argh. Again.