When downloading a file named "foo bar" from a server, QWebEngineDownloadItem::path() ends with "foo%20bar". Meanwhile, Chromium/Firefox save that file as "foo bar".
When a server sends a Content-Disposition header with filename=foo%20bar, this should be saved as "foo%20bar", and the path is also "foo%20bar" - that means when attempting to percent-decode the value we got, a website can write arbitary files by passing a filename like "..%2F.profile" (which is what happened with at least two QtWebEngine projects).
|For Gerrit Dashboard: QTBUG-58155|
|182490,2||QWebEngineDownloadItem::path() should not be percentage encoded||5.8||qt/qtwebengine||Status: MERGED||+2||0|