Sanitize filename in content-disposition header

author Flole998 <Flole998@users.noreply.github.com>

Fri, 2 Feb 2024 22:44:48 +0000 (22:44 +0000)

committer Flole998 <Flole998@users.noreply.github.com>

Sat, 3 Feb 2024 19:56:50 +0000 (20:56 +0100)
author Flole998 <Flole998@users.noreply.github.com>
Fri, 2 Feb 2024 22:44:48 +0000 (22:44 +0000)
committer Flole998 <Flole998@users.noreply.github.com>
Sat, 3 Feb 2024 19:56:50 +0000 (20:56 +0100)
diff --git a/src/webui/webui.c b/src/webui/webui.c

index 68a15f621711b5f9f45ba526767738afc1087a7e..359a8ba61534c01dbb959ce796fd26ea114ca815 100644 (file)
--- a/src/webui/webui.c
+++ b/src/webui/webui.c
@@ -2204,6 +2204,19 @@ page_srvid2(http_connection_t *hc, const char *remain, void *opaque)
    return 0;
  }
  
+/**
+ * Sanitice a filename to remove illegal characters from it
+ */
+static char *sanitize_filename(char *filename) {
+  if (!filename) return NULL;
+  char *s;
+  for (s = filename; *s; s++) {
+    if ((*s < 32) || (*s > 122) || strchr("/:\\<>|*?\"", *s) != NULL)
+      *s = '_';
+  }
+  return filename;
+}
+
  /**
   * Send a file
   */
@@ -2244,6 +2257,7 @@ http_serve_file(http_connection_t *hc, const char *fname,
                   basename, intlconv_charset_id("ASCII", 1, 1));
          return HTTP_STATUS_INTERNAL;
        }
+      sanitize_filename(str0);
        htsbuf_queue_init(&q, 0);
        htsbuf_append_and_escape_rfc8187(&q, basename);
        str = htsbuf_to_string(&q);
author	Flole998 <Flole998@users.noreply.github.com>
	Fri, 2 Feb 2024 22:44:48 +0000 (22:44 +0000)
committer	Flole998 <Flole998@users.noreply.github.com>
	Sat, 3 Feb 2024 19:56:50 +0000 (20:56 +0100)