mod_http_file_share: Use alternate syntax for filename in Content-Disposition
The Lua string.format %q doesn't behave correctly for all characters
that should be escaped in a quoted-string. And who knows what effects
higher Unicode might have here.
Applying percent-encoding of filenames seems like the safest way to deal
with filenames, as well as being easier than implementing the actual
quoted-string transform, which seems complicated and I'm not even sure
it covers every possible character.
Filenames can safely be assumed to be UTF-8 since they are passed in an
attribute in the query without any escaping.
--- a/plugins/mod_http_file_share.lua Sat Jan 29 15:01:38 2022 +0100
+++ b/plugins/mod_http_file_share.lua Sat Jan 29 16:11:38 2022 +0100
@@ -15,6 +15,7 @@
local jwt = require "util.jwt";
local errors = require "util.error";
local dataform = require "util.dataforms".new;
+local urlencode = require "util.http".urlencode;
local dt = require "util.datetime";
local hi = require "util.human.units";
local cache = require "util.cache";
@@ -431,7 +432,7 @@
response.headers.last_modified = last_modified;
response.headers.content_length = filesize;
response.headers.content_type = filetype;
- response.headers.content_disposition = string.format("%s; filename=%q", disposition, basename);
+ response.headers.content_disposition = string.format("%s; filename*=UTF-8''%s", disposition, urlencode(basename));
if response_range then
response.status_code = 206;