Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.

Thanks to Motoyasu Saburi for the report.
author: Carlton Gibson <carlton.gibson@noumenal.es> 2022-07-20 12:14:45 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2022-08-03 08:46:31 +0200
commit: bd062445cffd3f6cc6dcd20d13e2abed818fa173 (patch)
tree: e3a150ec5176cb0adff541b1a78cb200ef87428e /django/http
parent: 9062c23de80e999009cbe4100d83e90dd0463612 (diff)
download: django-bd062445cffd3f6cc6dcd20d13e2abed818fa173.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/django/http/response.py b/django/http/response.py
index 2bcd549f34..7a0dd688f7 100644
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -575,7 +575,9 @@ class FileResponse(StreamingHttpResponse):
             disposition = "attachment" if self.as_attachment else "inline"
             try:
                 filename.encode("ascii")
-                file_expr = 'filename="{}"'.format(filename)
+                file_expr = 'filename="{}"'.format(
+                    filename.replace("\\", "\\\\").replace('"', r"\"")
+                )
             except UnicodeEncodeError:
                 file_expr = "filename*=utf-8''{}".format(quote(filename))
             self.headers["Content-Disposition"] = "{}; {}".format(
author	Carlton Gibson <carlton.gibson@noumenal.es>	2022-07-20 12:14:45 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2022-08-03 08:46:31 +0200
commit	bd062445cffd3f6cc6dcd20d13e2abed818fa173 (patch)
tree	e3a150ec5176cb0adff541b1a78cb200ef87428e /django/http
parent	9062c23de80e999009cbe4100d83e90dd0463612 (diff)
download	django-bd062445cffd3f6cc6dcd20d13e2abed818fa173.tar.gz