go/echo
1
0
Fork 0
mirror of https://github.com/labstack/echo.git synced 2025-07-17 01:43:02 +02:00
Code Issues Releases Activity

Security: c.Attachment and c.Inline should escape name in Content-Disposition header to avoid 'Reflect File Download' vulnerability. (#2541)

Browse Source 
This is same as Go std does it 9d836d41d0/src/mime/multipart/writer.go (L132)
This commit is contained in:
Martti T
2023-11-07 14:10:06 +02:00
committed by GitHub
parent 50ebcd8d7c
commit 14daeb9680
2 changed files with 63 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
context.go
View File

@ -584,8 +584,10 @@ func (c *context) Inline(file, name string) error {
return c.contentDisposition(file, name, "inline")
}
var quoteEscaper = strings.NewReplacer("\\", "\\\\", `"`, "\\\"")
func (c *context) contentDisposition(file, name, dispositionType string) error {
c.response.Header().Set(HeaderContentDisposition, fmt.Sprintf("%s; filename=%q", dispositionType, name))
c.response.Header().Set(HeaderContentDisposition, fmt.Sprintf(`%s; filename="%s"`, dispositionType, quoteEscaper.Replace(name)))
return c.File(file)
}