Fix Content-Disposition header to quote filename for security

sysadminsmedia · Dec 2, 2024 · 6aa68ca · 6aa68ca
1 parent b48ae25
commit 6aa68ca
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/backend/app/api/handlers/v1/v1_ctrl_items.go b/backend/app/api/handlers/v1/v1_ctrl_items.go
@@ -346,7 +346,7 @@ func (ctrl *V1Controller) HandleItemsExport() errchain.HandlerFunc {
 		filename := fmt.Sprintf("homebox-items_%s.csv", timestamp) // add timestamp to filename
 
 		w.Header().Set("Content-Type", "text/csv")
-		w.Header().Set("Content-Disposition", fmt.Sprintf("attachment;filename=%s", filename))
+		w.Header().Set("Content-Disposition", fmt.Sprintf('attachment;filename=%s', filename))
 
 		writer := csv.NewWriter(w)
 		writer.Comma = ','