From bd062445cffd3f6cc6dcd20d13e2abed818fa173 Mon Sep 17 00:00:00 2001 From: Carlton Gibson Date: Wed, 20 Jul 2022 12:14:45 +0200 Subject: Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header. Thanks to Motoyasu Saburi for the report. --- django/http/response.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'django') diff --git a/django/http/response.py b/django/http/response.py index 2bcd549f34..7a0dd688f7 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -575,7 +575,9 @@ class FileResponse(StreamingHttpResponse): disposition = "attachment" if self.as_attachment else "inline" try: filename.encode("ascii") - file_expr = 'filename="{}"'.format(filename) + file_expr = 'filename="{}"'.format( + filename.replace("\\", "\\\\").replace('"', r"\"") + ) except UnicodeEncodeError: file_expr = "filename*=utf-8''{}".format(quote(filename)) self.headers["Content-Disposition"] = "{}; {}".format( -- cgit v1.3