Import uploader does not check Content-Disposition header

[EliasZ]

Preconditions

Magento 2.2.1 (probably previous versions too, cannot imagine this functionality being removed on purpose)

Steps to reproduce

1. Create a product import CSV with an image URL (which does not have a proper image extension) leading to an image being force downloaded by HTTP headers (for example: https://gist.github.com/brasofilo/2863355 (example gist))

2. Import it

Expected result

1. Magento properly checks the headers, downloads the file to the filename given in the headers and then imports it

Actual result

1. Magento does not check the headers and downloads the file (for example http://example.com/downloadsomefile becomes something like /pub/media/import/httpexamplecomdownloadsomefile)
2. The filename does not have a valid file extension and validation fails resulting in the file not being properly imported

Problem

Magento\CatalogImportExport\Model\Import\Uploader::move() sets $fileName to a stripped version of the URL. Here it should do a Magento\Framework\Filesystem\File\ReadInterface::stat() on the URL to check if the Content-Disposition header is set and a filename is provided.

[magento-engcom-team]

@EliasZ, thank you for your report.
We've created internal ticket(s) MAGETWO-84645 to track progress on the issue.