fix(06.2): CR-06 RFC 5987-encode Content-Disposition filename to prevent header injection

2026-06-01 14:26:46 +02:00
parent 653cb3a98b
commit 1a34209bb0
1 changed files with 3 additions and 1 deletions
@@ -21,6 +21,7 @@ to all handlers. The doc.user_id=None guard in /confirm is a Wave 2 placeholder.
 """
 from __future__ import annotations

+import urllib.parse
 import uuid
 from pathlib import Path
 from typing import Optional
@@ -786,9 +787,10 @@ async def stream_document_content(
        ) from exc
    file_size = len(file_bytes)

+    safe_name = urllib.parse.quote(doc.filename, safe='')
    headers = {
        "content-type": doc.content_type,
-        "content-disposition": f'inline; filename="{doc.filename}"',
+        "content-disposition": f"inline; filename*=UTF-8''{safe_name}",
        "accept-ranges": "bytes",
        "content-length": str(file_size),
    }