mattnite
/
forgejo-tickets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request 'Sanitize Content-Disposition filename in downloads' (#43) from fix/content-disposition-injection into main 

Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/43
This commit is contained in:
Matthew Knight 2026-02-18 00:14:50 +00:00
parent fdcccce476 ace0c06362
commit ec94d94453
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
internal/handlers/public/tickets.go
View File

@ -2,6 +2,7 @@ package public
import ( import (
"io" "io"
"mime"
"net/http" "net/http"
"sort" "sort"
"strconv" "strconv"
@ -531,7 +532,7 @@ func (h *TicketHandler) proxyAssetDownload(c *gin.Context, assetURL, filename st
contentType = "application/octet-stream" contentType = "application/octet-stream"
} }
c.Header("Content-Type", contentType) c.Header("Content-Type", contentType)
c.Header("Content-Disposition", "attachment; filename=\""+filename+"\"") c.Header("Content-Disposition", mime.FormatMediaType("attachment", map[string]string{"filename": filename}))
if cl := resp.Header.Get("Content-Length"); cl != "" { if cl := resp.Header.Get("Content-Length"); cl != "" {
c.Header("Content-Length", cl) c.Header("Content-Length", cl)
} }