pulsareon/ShowenV2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): sanitize filename in Content-Disposition header to prevent injection

Browse Source
This commit is contained in:
XiuChengWu
2026-03-31 23:39:20 +08:00
parent fbe064253c
commit c8dece351c
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/plugins/http/routes.rs
View File

@@ -1712,11 +1712,17 @@ fn read_attachment_response(path: &Path) -> warp::reply::Response {
match std::fs::read(path) { match std::fs::read(path) {
Ok(data) => { Ok(data) => {
let filename = path.file_name().unwrap_or_default().to_string_lossy(); let filename = path.file_name().unwrap_or_default().to_string_lossy();
// Sanitize filename for Content-Disposition header to prevent header injection
let safe_filename = filename
.replace('\\', "_")
.replace('"', "_")
.replace('\r', "")
.replace('\n', "");
match warp::http::Response::builder() match warp::http::Response::builder()
.header("Content-Type", "application/octet-stream") .header("Content-Type", "application/octet-stream")
.header( .header(
"Content-Disposition", "Content-Disposition",
format!("attachment; filename=\"{filename}\""), format!("attachment; filename=\"{safe_filename}\""),
) )
.header("Content-Length", data.len().to_string()) .header("Content-Length", data.len().to_string())
.body(data) .body(data)