From 11ee21567bfb928fd3a7ff5e09d3941e27fb4850 Mon Sep 17 00:00:00 2001 From: pratyushjaiswal0806-dot Date: Fri, 5 Jun 2026 02:38:43 +0530 Subject: [PATCH] Escape slash in filename header --- tests-unit/prompt_server_test/view_image_header_test.py | 7 +++++++ utils/http_headers.py | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/tests-unit/prompt_server_test/view_image_header_test.py b/tests-unit/prompt_server_test/view_image_header_test.py index 33697a909..8937b0aaf 100644 --- a/tests-unit/prompt_server_test/view_image_header_test.py +++ b/tests-unit/prompt_server_test/view_image_header_test.py @@ -29,3 +29,10 @@ def test_view_content_disposition_adds_utf8_filename_parameter(): assert 'filename="caf_.png"' in header assert "filename*=UTF-8''caf%C3%A9.png" in header + + +def test_view_content_disposition_escapes_path_separators(): + header = content_disposition_header("nested/image.png", "inline") + + assert 'filename="nested/image.png"' in header + assert "filename*=UTF-8''nested%2Fimage.png" in header diff --git a/utils/http_headers.py b/utils/http_headers.py index 68195aeec..b949d46af 100644 --- a/utils/http_headers.py +++ b/utils/http_headers.py @@ -14,7 +14,7 @@ def content_disposition_header(filename: str, disposition: str) -> str: safe_filename = _CONTROL_CHARS_RE.sub("_", filename or "") safe_filename = _QUOTED_FILENAME_UNSAFE_RE.sub("_", safe_filename) fallback_filename = _NON_ASCII_RE.sub("_", safe_filename) - encoded_filename = urllib.parse.quote(safe_filename) + encoded_filename = urllib.parse.quote(safe_filename, safe="") return ( f'{disposition}; filename="{fallback_filename}"; ' f"filename*=UTF-8''{encoded_filename}"