Fix Content-Disposition header injection in GetObject (G4brym#145)

G4brym · claude · web-flow · commit c936027e8e1d · 2026-03-09T13:01:35.000Z
* Fix Content-Disposition header injection in GetObject

The filename in the Content-Disposition header was interpolated
directly without sanitization. Filenames containing double quotes
could break header parsing or enable header injection.

This fix:
- Strips non-ASCII characters and replaces double quotes in the
  ASCII `filename` parameter for compatibility
- Adds RFC 5987 `filename*` parameter with proper UTF-8 percent
  encoding, matching the approach used in getShareLink.ts

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Fix CI: update test for new Content-Disposition format and add changeset

- Update GetObject test to expect the sanitized filename with RFC 5987
  filename* parameter added by the header injection fix
- Add required changeset for the patch release

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.changeset/fix-content-disposition-injection.md b/.changeset/fix-content-disposition-injection.md
@@ -0,0 +1,5 @@
+---
+"r2-explorer": patch
+---
+
+Fix Content-Disposition header injection in GetObject by sanitizing filenames (replacing non-ASCII with `_` and double quotes with `'`) and adding RFC 5987 `filename*=UTF-8''...` parameter for proper Unicode support.
diff --git a/packages/worker/src/modules/buckets/getObject.ts b/packages/worker/src/modules/buckets/getObject.ts
@@ -57,9 +57,14 @@ export class GetObject extends OpenAPIRoute {
 		object.writeHttpMetadata(headers);
 		headers.set("etag", object.httpEtag);
 		headers.set("content-length", object.size.toString());
+
+		const fileName = filePath.split("/").pop() || "download";
+		const asciiFileName = fileName
+			.replace(/[^\x20-\x7E]/g, "_")
+			.replace(/"/g, "'");
 		headers.set(
 			"Content-Disposition",
-			`attachment; filename="${filePath.split("/").pop()}"`,
+			`attachment; filename="${asciiFileName}"; filename*=UTF-8''${encodeURIComponent(fileName)}`,
 		);
 
 		return new Response(object.body, {
diff --git a/packages/worker/tests/integration/object.test.ts b/packages/worker/tests/integration/object.test.ts
@@ -147,8 +147,8 @@ describe("Object Specific Endpoints", () => {
 			expect(response.headers.get("content-type")).toBe(TEST_OBJECT_CONTENT_TYPE);
 			expect(response.headers.get("content-length")).toBe(TEST_OBJECT_CONTENT.length.toString());
 			expect(response.headers.has("etag")).toBe(true);
-			// Default R2 GetObject includes Content-Disposition: attachment; filename="key"
-			expect(response.headers.get("content-disposition")).toBe(`attachment; filename="${TEST_OBJECT_KEY}"`);
+			// Default R2 GetObject includes Content-Disposition with sanitized filename and RFC 5987 filename*
+			expect(response.headers.get("content-disposition")).toBe(`attachment; filename="${TEST_OBJECT_KEY}"; filename*=UTF-8''${encodeURIComponent(TEST_OBJECT_KEY)}`);
 
 			const body = await response.text();
 			expect(body).toBe(TEST_OBJECT_CONTENT);

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"r2-explorer": patch
 +---
++
 +Fix Content-Disposition header injection in GetObject by sanitizing filenames (replacing non-ASCII with `_` and double quotes with `'`) and adding RFC 5987 `filename*=UTF-8''...` parameter for proper Unicode support.