# HG changeset patch # User Kim Alvefur # Date 1643469098 -3600 # Node ID 88958c0ecab37ad8738951218c120edcaed5e939 # Parent 7db81c9cbbbf7309ca88493810bf6d36c90158ec mod_http_file_share: Use alternate syntax for filename in Content-Disposition The Lua string.format %q doesn't behave correctly for all characters that should be escaped in a quoted-string. And who knows what effects higher Unicode might have here. Applying percent-encoding of filenames seems like the safest way to deal with filenames, as well as being easier than implementing the actual quoted-string transform, which seems complicated and I'm not even sure it covers every possible character. Filenames can safely be assumed to be UTF-8 since they are passed in an attribute in the query without any escaping. diff -r 7db81c9cbbbf -r 88958c0ecab3 plugins/mod_http_file_share.lua --- a/plugins/mod_http_file_share.lua Sat Jan 29 15:01:38 2022 +0100 +++ b/plugins/mod_http_file_share.lua Sat Jan 29 16:11:38 2022 +0100 @@ -15,6 +15,7 @@ local jwt = require "util.jwt"; local errors = require "util.error"; local dataform = require "util.dataforms".new; +local urlencode = require "util.http".urlencode; local dt = require "util.datetime"; local hi = require "util.human.units"; local cache = require "util.cache"; @@ -431,7 +432,7 @@ response.headers.last_modified = last_modified; response.headers.content_length = filesize; response.headers.content_type = filetype; - response.headers.content_disposition = string.format("%s; filename=%q", disposition, basename); + response.headers.content_disposition = string.format("%s; filename*=UTF-8''%s", disposition, urlencode(basename)); if response_range then response.status_code = 206;