CVE-2020-8177: curl symlink attack via -J (Content-Disposition) and -i (include headers)

CVE-2020-8177 is a local file overwrite vulnerability in curl 7.20.0–7.71.0 caused by a TOCTOU/symlink-following flaw in the 'don't overwrite' protection for --remote-header-name (-J / Content-Disposition filenames). When curl uses a Content-Disposition-derived filename, it checks for file existence using fopen(filename, "rb"), which follows symlinks. A dangling symlink (pointing to a non-existent target) causes fopen to return NULL, falsely passing the protection check, then fopen(filename, "wb") creates the symlink target. Additionally, when -i (include headers) is combined with -J, the output file is opened by show_headers before Content-Disposition is processed (is_cd_filename=FALSE), bypassing the protection block entirely. Bug class: symlink-attack.