From 54cbb4e64297d68ff6c9ef3fe03c283448e3533f Mon Sep 17 00:00:00 2001 From: David Lord Date: Thu, 27 Jun 2019 07:55:22 -0700 Subject: [PATCH] send_file quotes ":/" in UTF-8 filename --- CHANGES.rst | 2 ++ flask/helpers.py | 2 +- tests/test_helpers.py | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES.rst b/CHANGES.rst index c92b384e..e1a3a9e0 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -8,6 +8,8 @@ Unreleased - The key information for ``BadRequestKeyError`` is no longer cleared outside debug mode, so error handlers can still access it. This requires upgrading to Werkzeug 0.15.5. :issue:`3249` +- ``send_file`` url quotes the ":" and "/" characters for more + compatible UTF-8 filename support in some browsers. :issue:`3074` Version 1.0.3 diff --git a/flask/helpers.py b/flask/helpers.py index c71ce3d8..f1eaa8e4 100644 --- a/flask/helpers.py +++ b/flask/helpers.py @@ -576,7 +576,7 @@ def send_file(filename_or_fp, mimetype=None, as_attachment=False, filenames = { 'filename': unicodedata.normalize( 'NFKD', attachment_filename).encode('ascii', 'ignore'), - 'filename*': "UTF-8''%s" % url_quote(attachment_filename), + 'filename*': "UTF-8''%s" % url_quote(attachment_filename, safe=b""), } else: filenames = {'filename': attachment_filename} diff --git a/tests/test_helpers.py b/tests/test_helpers.py index b2542d0e..d6a023e7 100644 --- a/tests/test_helpers.py +++ b/tests/test_helpers.py @@ -646,6 +646,8 @@ class TestSendfile(object): (u'Vögel.txt', 'Vogel.txt', 'V%C3%B6gel.txt'), # Native string not marked as Unicode on Python 2 ('tést.txt', 'test.txt', 't%C3%A9st.txt'), + # ":/" are not safe in filename* value + (u"те:/ст", '":/"', "%D1%82%D0%B5%3A%2F%D1%81%D1%82"), )) def test_attachment_filename_encoding(self, filename, ascii, utf8): rv = flask.send_file('static/index.html', as_attachment=True, attachment_filename=filename)