From 11200e41f1eda9e247f6ad2701bc6d6219104df9 Mon Sep 17 00:00:00 2001 From: chrislu Date: Fri, 5 Dec 2025 14:22:26 -0800 Subject: [PATCH] fix: Escape Content-Disposition filename per RFC 2616 Filenames containing quotes, backslashes, or special characters could break the Content-Disposition header or cause client-side parsing issues. Now properly escapes these characters before including in the header. --- weed/admin/handlers/file_browser_handlers.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/weed/admin/handlers/file_browser_handlers.go b/weed/admin/handlers/file_browser_handlers.go index aec013e1a..e964b05c4 100644 --- a/weed/admin/handlers/file_browser_handlers.go +++ b/weed/admin/handlers/file_browser_handlers.go @@ -585,7 +585,10 @@ func (h *FileBrowserHandlers) DownloadFile(c *gin.Context) { // Set headers for file download fileName := filepath.Base(cleanFilePath) - c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", fileName)) + // Escape quotes and backslashes in filename per RFC 2616 + escapedFileName := strings.ReplaceAll(fileName, "\\", "\\\\") + escapedFileName = strings.ReplaceAll(escapedFileName, "\"", "\\\"") + c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", escapedFileName)) // Use content type from filer response, or default to octet-stream contentType := resp.Header.Get("Content-Type")