attempt to fix blackhole dirs with reverse proxies

src/Jackett/Controllers/AdminController.cs

@@ -475,9 +475,10 @@ namespace Jackett.Controllers
             foreach (var result in results)
             {
                 var link = result.Link;
-                result.Link = serverService.ConvertToProxyLink(link, serverUrl, result.TrackerId, "dl", result.Title + ".torrent");
+                var file = StringUtil.MakeValidFileName(result.Title, '_', false) + ".torrent";
+                result.Link = serverService.ConvertToProxyLink(link, serverUrl, result.TrackerId, "dl", file);
                 if (result.Link != null && result.Link.Scheme != "magnet" && !string.IsNullOrWhiteSpace(Engine.Server.Config.BlackholeDir))
-                    result.BlackholeLink = serverService.ConvertToProxyLink(link, serverUrl, result.TrackerId, "bh", string.Empty);
+                    result.BlackholeLink = serverService.ConvertToProxyLink(link, serverUrl, result.TrackerId, "bh", file);
 
             }
         }

src/Jackett/Controllers/BlackholeController.cs

@@ -1,4 +1,5 @@
 using Jackett.Services;
+using Jackett.Utils;
 using Newtonsoft.Json.Linq;
 using NLog;
 using System;
@@ -31,7 +32,7 @@ namespace Jackett.Controllers
         }
 
         [HttpGet]
-        public async Task<IHttpActionResult> Blackhole(string indexerID, string path, string apikey)
+        public async Task<IHttpActionResult> Blackhole(string indexerID, string path, string apikey, string file)
         {
 
             var jsonReply = new JObject();
@@ -60,7 +61,12 @@ namespace Jackett.Controllers
                     throw new Exception("Blackhole directory does not exist: " + Engine.Server.Config.BlackholeDir);
                 }
 
-                var fileName = DateTime.Now.Ticks + ".torrent";
+                var fileName = DateTime.Now.Ticks.ToString() + "-" + StringUtil.MakeValidFileName(indexer.DisplayName, '_', false);
+                if (string.IsNullOrWhiteSpace(file))
+                    fileName += ".torrent";
+                else
+                    fileName += "-"+StringUtil.MakeValidFileName(file, '_', false); // call MakeValidFileName() again to avoid any possibility of path traversal attacks 
+
                 File.WriteAllBytes(Path.Combine(Engine.Server.Config.BlackholeDir, fileName), downloadBytes);
                 jsonReply["result"] = "success";
             }

src/Jackett/Controllers/DownloadController.cs

@@ -11,6 +11,7 @@ using System.Threading.Tasks;
 using System.Web;
 using System.Web.Http;
 using MonoTorrent.BEncoding;
+using Jackett.Utils;
 
 namespace Jackett.Controllers
 {
@@ -54,19 +55,12 @@ namespace Jackett.Controllers
                 var torrentDictionary = BEncodedDictionary.DecodeTorrent(downloadBytes);
                 downloadBytes = torrentDictionary.Encode();
 
-                char[] invalidChars = System.IO.Path.GetInvalidFileNameChars();
-                for (int i = 0; i < file.Count(); i++)
-                    if (invalidChars.Contains(file[i]))
-                    {
-                        file = file.Remove(i, 1).Insert(i, " ");
-                    }
-
                 var result = new HttpResponseMessage(HttpStatusCode.OK);
                 result.Content = new ByteArrayContent(downloadBytes);
                 result.Content.Headers.ContentType = new MediaTypeHeaderValue("application/x-bittorrent");
                 result.Content.Headers.ContentDisposition = new ContentDispositionHeaderValue("attachment")
                 {
-                    FileName = file
+                    FileName = StringUtil.MakeValidFileName(file, '_', false) // call MakeValidFileName again to avoid any kind of injection attack
                 };
                 return result;
             }