mattnite
/
forgejo-tickets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request 'Sanitize Content-Disposition filename in downloads' (#43) from fix/content-disposition-injection into main 

Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/43
This commit is contained in:
Matthew Knight 2026-02-18 00:14:50 +00:00
parent fdcccce476 ace0c06362
commit ec94d94453
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
internal/handlers/public/tickets.go
View File

@ -2,6 +2,7 @@ package public
import (
"io"
"mime"
"net/http"
"sort"
"strconv"
@ -531,7 +532,7 @@ func (h *TicketHandler) proxyAssetDownload(c *gin.Context, assetURL, filename st
contentType = "application/octet-stream"
}
c.Header("Content-Type", contentType)
c.Header("Content-Disposition", "attachment; filename=\""+filename+"\"")
c.Header("Content-Disposition", mime.FormatMediaType("attachment", map[string]string{"filename": filename}))
if cl := resp.Header.Get("Content-Length"); cl != "" {
c.Header("Content-Length", cl)
}