From 1808bcdf3424eab0c659ef2d0e85579aab977a1a Mon Sep 17 00:00:00 2001
From: namusyaka <namusyaka@gmail.com>
Date: Wed, 23 Nov 2022 22:24:02 +0900
Subject: [PATCH] escape filename in the Content-Disposition header

According the multipart form data spec in WHATWG living standard.
Ref: https://html.spec.whatwg.org/#multipart-form-data

Origin:
https://github.com/sinatra/sinatra/commit/1808bcdf3424eab0c659ef2d0e85579aab977a1a
---
 test/helpers_test.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/test/helpers_test.rb b/test/helpers_test.rb
index 463a21d..7201aab 100644
--- a/test/helpers_test.rb
+++ b/test/helpers_test.rb
@@ -781,6 +781,18 @@ class HelpersTest < Minitest::Test
       assert_equal '<sinatra></sinatra>', body
     end
 
+    it 'escapes filename in the Content-Disposition header according to the multipart form data spec in WHATWG living standard' do
+      mock_app do
+        get('/attachment') do
+          attachment "test.xml\";\r\next=.txt"
+          response.write("<sinatra></sinatra>")
+        end
+      end
+
+      get '/attachment'
+      assert_equal 'attachment; filename="test.xml%22;%0D%0Aext=.txt"', response['Content-Disposition']
+      assert_equal '<sinatra></sinatra>', body
+    end
   end
 
   describe 'send_file' do
-- 
2.47.0