fix: Escape Content-Disposition filename per RFC 2616

Filenames containing quotes, backslashes, or special characters could break the Content-Disposition header or cause client-side parsing issues. Now properly escapes these characters before including in the header.
5 days ago · 11200e41f1
1 changed files with 4 additions and 1 deletions
--- a/weed/admin/handlers/file_browser_handlers.go
+++ b/weed/admin/handlers/file_browser_handlers.go
@ -585,7 +585,10 @@ func (h *FileBrowserHandlers) DownloadFile(c *gin.Context) {

 	// Set headers for file download
 	fileName := filepath.Base(cleanFilePath)
-	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", fileName))
+	// Escape quotes and backslashes in filename per RFC 2616
+	escapedFileName := strings.ReplaceAll(fileName, "\\", "\\\\")
+	escapedFileName = strings.ReplaceAll(escapedFileName, "\"", "\\\"")
+	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", escapedFileName))

 	// Use content type from filer response, or default to octet-stream
 	contentType := resp.Header.Get("Content-Type")