From 6aa68ca1b9ebf893e978dcd29094fa3afd7f679e Mon Sep 17 00:00:00 2001 From: Sai Vishnu Date: Mon, 2 Dec 2024 13:02:36 +0530 Subject: [PATCH] Fix Content-Disposition header to quote filename for security --- backend/app/api/handlers/v1/v1_ctrl_items.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/app/api/handlers/v1/v1_ctrl_items.go b/backend/app/api/handlers/v1/v1_ctrl_items.go index b23534d6..b438a2ff 100644 --- a/backend/app/api/handlers/v1/v1_ctrl_items.go +++ b/backend/app/api/handlers/v1/v1_ctrl_items.go @@ -346,7 +346,7 @@ func (ctrl *V1Controller) HandleItemsExport() errchain.HandlerFunc { filename := fmt.Sprintf("homebox-items_%s.csv", timestamp) // add timestamp to filename w.Header().Set("Content-Type", "text/csv") - w.Header().Set("Content-Disposition", fmt.Sprintf("attachment;filename=%s", filename)) + w.Header().Set("Content-Disposition", fmt.Sprintf('attachment;filename=%s', filename)) writer := csv.NewWriter(w) writer.Comma = ','