From c0edbdbdd6ab164fdbbd157c2e0fa10663d26c36 Mon Sep 17 00:00:00 2001 From: clsr Date: Fri, 5 Feb 2021 08:23:30 +0000 Subject: Fix Content-Disposition filename text filtering --- cnhttp.go | 4 ++-- go.mod | 9 +++++++++ go.sum | 6 ++++++ 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 go.mod create mode 100644 go.sum diff --git a/cnhttp.go b/cnhttp.go index f9f9a30..b1e88db 100644 --- a/cnhttp.go +++ b/cnhttp.go @@ -1,4 +1,4 @@ -package main +package main // import "contnet.org/util/cn-http" import ( "bytes" @@ -274,7 +274,7 @@ func (srv *server) cnpParamsToHTTP(w http.ResponseWriter, resp *cnp.Response) { } if n := resp.Name(); n != "" { w.Header().Set("Content-Disposition", "inline; filename=\""+strings.Map(func(r rune) rune { - if r < ' ' || r == ' ' || r == '\'' { // filter out nulls, control codes, newlines and quotes + if r < ' ' || r == '"' || r == '\'' { // filter out nulls, control codes, newlines and quotes return -1 } return r diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..dd76afa --- /dev/null +++ b/go.mod @@ -0,0 +1,9 @@ +module contnet.org/util/cn-http + +go 1.12 + +require ( + contnet.org/lib/cnm-go v0.4.0 + contnet.org/lib/cnp-go v0.2.0 + github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..b213d38 --- /dev/null +++ b/go.sum @@ -0,0 +1,6 @@ +contnet.org/lib/cnm-go v0.4.0 h1:28I1CXDp3QyBPaWy7lZeD2gIOdfAUD4ErBvuujgibFk= +contnet.org/lib/cnm-go v0.4.0/go.mod h1:BL0FsUB8++6EDKgUz2ynC3IEgyouBkJXeBE6ZGh7f0s= +contnet.org/lib/cnp-go v0.2.0 h1:hKzFwR7BRZdU6MrLzb3P76pIRuI2u1b6IiSg7voP7w8= +contnet.org/lib/cnp-go v0.2.0/go.mod h1:gXG8x1iRjObzAJxRWlv1YrYiuCutye7SS+X9VArmxNA= +github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= +github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= -- cgit