[3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.

Thanks to Motoyasu Saburi for the report.
author: Carlton Gibson <carlton.gibson@noumenal.es> 2022-07-27 10:27:42 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2022-08-03 08:48:33 +0200
commit: b3e4494d759202a3b6bf247fd34455bf13be5b80 (patch)
tree: 860b1455fd65c17ce93dfb68ad2d049a7191c21d /django/http
parent: cb7fbac9f8a93d730be66815620d5769aad521bc (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/django/http/response.py b/django/http/response.py
index 1c22edaff3..73f87d7bda 100644
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -485,7 +485,9 @@ class FileResponse(StreamingHttpResponse):
             disposition = 'attachment' if self.as_attachment else 'inline'
             try:
                 filename.encode('ascii')
-                file_expr = 'filename="{}"'.format(filename)
+                file_expr = 'filename="{}"'.format(
+                    filename.replace('\\', '\\\\').replace('"', r'\"')
+                )
             except UnicodeEncodeError:
                 file_expr = "filename*=utf-8''{}".format(quote(filename))
             self.headers['Content-Disposition'] = '{}; {}'.format(disposition, file_expr)
author	Carlton Gibson <carlton.gibson@noumenal.es>	2022-07-27 10:27:42 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2022-08-03 08:48:33 +0200
commit	b3e4494d759202a3b6bf247fd34455bf13be5b80 (patch)
tree	860b1455fd65c17ce93dfb68ad2d049a7191c21d /django/http
parent	cb7fbac9f8a93d730be66815620d5769aad521bc (diff)