From 53235a602ce45470aa1802651a8193a542e3de75 Mon Sep 17 00:00:00 2001
From: Sergey Konovalov <Sergey.Konovalov@onlyoffice.com>
Date: Wed, 13 Aug 2025 00:59:41 +0300
Subject: [PATCH] [bug] Sanitize Content-Disposition in downloadFile; For bug
 76325

---
 DocService/sources/canvasservice.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/DocService/sources/canvasservice.js b/DocService/sources/canvasservice.js
index e456a031..fa410c29 100644
--- a/DocService/sources/canvasservice.js
+++ b/DocService/sources/canvasservice.js
@@ -1774,6 +1774,10 @@ exports.downloadFile = function(req, res) {
         const downloadResult = yield utils.downloadUrlPromise(ctx, url, tenDownloadTimeout, tenDownloadMaxBytes, authorization, isInJwtToken, headers, true);
         const response = downloadResult.response;
         stream = downloadResult.stream;
+        // Sanitize Content-Disposition by removing control chars (prevents CRLF/header injection)
+        if (response.headers['content-disposition']) {
+          response.headers['content-disposition'] = response.headers['content-disposition'].replace(/[\x00-\x1F\x7F]/g, '');
+        }
         //Set-Cookie resets browser session
         delete response.headers['set-cookie'];
         // Set the response headers to match the target response