curo/kite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(06.2): CR-06 RFC 5987-encode Content-Disposition filename to prevent header injection

Browse Source
This commit is contained in:
curo1305
2026-06-01 14:26:46 +02:00
parent 653cb3a98b
commit 1a34209bb0
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/api/documents.py
+3 -1
View File
@@ -21,6 +21,7 @@ to all handlers. The doc.user_id=None guard in /confirm is a Wave 2 placeholder.
""" """
from __future__ import annotations from __future__ import annotations
import urllib.parse
import uuid import uuid
from pathlib import Path from pathlib import Path
from typing import Optional from typing import Optional
@@ -786,9 +787,10 @@ async def stream_document_content(
) from exc ) from exc
file_size = len(file_bytes) file_size = len(file_bytes)
safe_name = urllib.parse.quote(doc.filename, safe='')
headers = { headers = {
"content-type": doc.content_type, "content-type": doc.content_type,
"content-disposition": f'inline; filename="{doc.filename}"', "content-disposition": f"inline; filename*=UTF-8''{safe_name}",
"accept-ranges": "bytes", "accept-ranges": "bytes",
"content-length": str(file_size), "content-length": str(file_size),
} }