fix(server): Remove RFC 2616 separator chars from Content-Disposition filename (#291)

2025-10-22 22:02:00 +00:00 · 2025-10-20 10:49:46 -03:00
parent 4ff1eb28d9
commit ab5ea156a3
2 changed files with 32 additions and 8 deletions
--- a/apps/server/src/modules/filesystem/controller.ts
+++ b/apps/server/src/modules/filesystem/controller.ts
@@ -12,6 +12,20 @@ export class FilesystemController {
  private chunkManager = ChunkManager.getInstance();
  private memoryManager = DownloadMemoryManager.getInstance();

+  /**
+   * Check if a character is valid in an HTTP token (RFC 2616)
+   * Tokens can contain: alphanumeric and !#$%&'*+-.^_`|~
+   * Must exclude separators: ()<>@,;:\"/[]?={} and space/tab
+   */
+  private isTokenChar(char: string): boolean {
+    const code = char.charCodeAt(0);
+    // Basic ASCII range check
+    if (code < 33 || code > 126) return false;
+    // Exclude separator characters per RFC 2616
+    const separators = '()<>@,;:\\"/[]?={} \t';
+    return !separators.includes(char);
+  }
+
  private encodeFilenameForHeader(filename: string): string {
    if (!filename || filename.trim() === "") {
      return 'attachment; filename="download"';
@@ -36,12 +50,10 @@ export class FilesystemController {
      return 'attachment; filename="download"';
    }

+    // Create ASCII-safe version with only valid token characters
    const asciiSafe = sanitized
      .split("")
-      .filter((char) => {
-        const code = char.charCodeAt(0);
-        return code >= 32 && code <= 126;
-      })
+      .filter((char) => this.isTokenChar(char))
      .join("");

    if (asciiSafe && asciiSafe.trim()) {
--- a/apps/server/src/providers/s3-storage.provider.ts
+++ b/apps/server/src/providers/s3-storage.provider.ts
@@ -14,6 +14,20 @@ export class S3StorageProvider implements StorageProvider {
    }
  }

+  /**
+   * Check if a character is valid in an HTTP token (RFC 2616)
+   * Tokens can contain: alphanumeric and !#$%&'*+-.^_`|~
+   * Must exclude separators: ()<>@,;:\"/[]?={} and space/tab
+   */
+  private isTokenChar(char: string): boolean {
+    const code = char.charCodeAt(0);
+    // Basic ASCII range check
+    if (code < 33 || code > 126) return false;
+    // Exclude separator characters per RFC 2616
+    const separators = '()<>@,;:\\"/[]?={} \t';
+    return !separators.includes(char);
+  }
+
  /**
   * Safely encode filename for Content-Disposition header
   */
@@ -41,12 +55,10 @@ export class S3StorageProvider implements StorageProvider {
      return 'attachment; filename="download"';
    }

+    // Create ASCII-safe version with only valid token characters
    const asciiSafe = sanitized
      .split("")
-      .filter((char) => {
-        const code = char.charCodeAt(0);
-        return code >= 32 && code <= 126;
-      })
+      .filter((char) => this.isTokenChar(char))
      .join("");

    if (asciiSafe && asciiSafe.trim()) {