From 1388ea151f8539e143c084dde8b668960ebde356 Mon Sep 17 00:00:00 2001
From: Arash <arash77.kad@gmail.com>
Date: Wed, 20 Nov 2024 13:01:59 +0100
Subject: [PATCH] Sanitize filenames in toContentDisposition function to ensure
 valid characters are used

---
 lib/galaxy/util/__init__.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/galaxy/util/__init__.py b/lib/galaxy/util/__init__.py
index f0c1938f3021..e8ce53de1b61 100644
--- a/lib/galaxy/util/__init__.py
+++ b/lib/galaxy/util/__init__.py
@@ -2010,5 +2010,6 @@ def lowercase_alphanum_to_hex(lowercase_alphanum: str) -> str:
 
 
 def toContentDisposition(filename: str) -> str:
+    sanitized_filename = "".join(c in FILENAME_VALID_CHARS and c or "_" for c in filename)[0:150]
     utf8_encoded_filename = quote(filename, safe="")
-    return f"attachment; filename=\"{utf8_encoded_filename}\"; filename*=UTF-8''{utf8_encoded_filename}"
+    return f"attachment; filename=\"{sanitized_filename}\"; filename*=UTF-8''{utf8_encoded_filename}"