Download of file with arbitrary extension via injection into attachment header

Description ----------- When downloading mail attachments, the app fails to properly escape quotes in the content disposition header. Because of this, an attacker can send a victim a file with a benign extension such as `.txt` or `.png` which when downloaded will be stored with a malicious extension such as `.bat` or `.docm`. This vulnerability can for example be exploited in the following scenarios: - It allows bypassing of extension-based attachment filtering by email providers (or other intermediate email systems), as is common in many networks. - As the attachment is displayed as a benign file in Nextcloud, a user may incorrectly trust it to be a benign file. POC --- - Send a mail to an email address that is connected to Nextcloud Mail with an attached file called `test.bat".png`. - open the mail -> click on the attachment icon -> click on the download icon. While Nextcloud correctly displays the file as a benign `.png` file, it will be downloaded as `test.bat` instead. Tested with Firefox under Windows. As alternative to `.bat` files (which may be prevented from executing by Microsoft Defender SmartScreen), an attacker can also send other malicious files such as for example `.vbs` files, as well as `.docm` files containing macro viruses. Request ------- ``` GET /nextcloud/index.php/apps/mail/api/messages/26/attachment/2 HTTP/1.1 Host: 192.168.0.101 HTTP/1.1 200 OK [...] Content-Disposition: attachment; filename="test.bat".png" [...] Content-Type: application/octet-stream C:\Windows\system32\calc.exe ``` Solution -------- Quotes should be properly escaped before being inserted into the Content-Disposition header. ## Impact Offering malicious files for download, leading to code execution on the computer of the victim if they download and open the file.