mod_http_file_share: Use alternate syntax for filename in Content-Disposition

The Lua string.format %q doesn't behave correctly for all characters
that should be escaped in a quoted-string. And who knows what effects
higher Unicode might have here.

Applying percent-encoding of filenames seems like the safest way to deal
with filenames, as well as being easier than implementing the actual
quoted-string transform, which seems complicated and I'm not even sure
it covers every possible character.

Filenames can safely be assumed to be UTF-8 since they are passed in an
attribute in the query without any escaping.

1 files changed, 2 insertions, 1 deletions

diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 8773f3a4..8e433471 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -15,6 +15,7 @@ local dm = require "core.storagemanager".olddm;
 local jwt = require "util.jwt";
 local errors = require "util.error";
 local dataform = require "util.dataforms".new;
+local urlencode = require "util.http".urlencode;
 local dt = require "util.datetime";
 local hi = require "util.human.units";
 local cache = require "util.cache";
@@ -431,7 +432,7 @@ function handle_download(event, path) -- GET /uploads/:slot+filename
 	response.headers.last_modified = last_modified;
 	response.headers.content_length = filesize;
 	response.headers.content_type = filetype;
-	response.headers.content_disposition = string.format("%s; filename=%q", disposition, basename);
+	response.headers.content_disposition = string.format("%s; filename*=UTF-8''%s", disposition, urlencode(basename));
 
 	if response_range then
 		response.status_code = 206;