mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_http_file_share: Use alternate syntax for filename in Content-Disposition

Browse source 
The Lua string.format %q doesn't behave correctly for all characters
that should be escaped in a quoted-string. And who knows what effects
higher Unicode might have here.

Applying percent-encoding of filenames seems like the safest way to deal
with filenames, as well as being easier than implementing the actual
quoted-string transform, which seems complicated and I'm not even sure
it covers every possible character.

Filenames can safely be assumed to be UTF-8 since they are passed in an
attribute in the query without any escaping.
This commit is contained in:
Kim Alvefur 2022-01-29 16:11:38 +01:00
parent 46ad556ca0
commit ca19260145
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
plugins/mod_http_file_share.lua
View file

@ -15,6 +15,7 @@ local dm = require "core.storagemanager".olddm;
local jwt = require "util.jwt";
local errors = require "util.error";
local dataform = require "util.dataforms".new;
local urlencode = require "util.http".urlencode;
local dt = require "util.datetime";
local hi = require "util.human.units";
local cache = require "util.cache";
@ -431,7 +432,7 @@ function handle_download(event, path) -- GET /uploads/:slot+filename
response.headers.last_modified = last_modified;
response.headers.content_length = filesize;
response.headers.content_type = filetype;
response.headers.content_disposition = string.format("%s; filename=%q", disposition, basename);
response.headers.content_disposition = string.format("%s; filename*=UTF-8''%s", disposition, urlencode(basename));
if response_range then
response.status_code = 206;