From c8dece351c945902cc0551463d2014bc3a29e00c Mon Sep 17 00:00:00 2001
From: XiuChengWu <732857315@qq.com>
Date: Tue, 31 Mar 2026 23:39:20 +0800
Subject: [PATCH] fix(security): sanitize filename in Content-Disposition
 header to prevent injection

---
 src/plugins/http/routes.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/plugins/http/routes.rs b/src/plugins/http/routes.rs
index 79500f2..9c94430 100644
--- a/src/plugins/http/routes.rs
+++ b/src/plugins/http/routes.rs
@@ -1712,11 +1712,17 @@ fn read_attachment_response(path: &Path) -> warp::reply::Response {
     match std::fs::read(path) {
         Ok(data) => {
             let filename = path.file_name().unwrap_or_default().to_string_lossy();
+            // Sanitize filename for Content-Disposition header to prevent header injection
+            let safe_filename = filename
+                .replace('\\', "_")
+                .replace('"', "_")
+                .replace('\r', "")
+                .replace('\n', "");
             match warp::http::Response::builder()
                 .header("Content-Type", "application/octet-stream")
                 .header(
                     "Content-Disposition",
-                    format!("attachment; filename=\"{filename}\""),
+                    format!("attachment; filename=\"{safe_filename}\""),
                 )
                 .header("Content-Length", data.len().to_string())
                 .body(data)