Improper handling of filenames in Content-Disposition HTTP header in github.com/gin-gonic/gin
Description
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gin-gonic/ginGo | >= 1.3.1-0.20190301021747-ccb9e902956d, < 1.9.1 | 1.9.1 |
Affected products
2- ghsa-coordsRange: >= 1.3.1-0.20190301021747-ccb9e902956d, < 1.9.1
- github.com/gin-gonic/gin/github.com/gin-gonic/ginv5Range: 1.3.1-0.20190301021747-ccb9e902956d
Patches
Vulnerability mechanics
Root cause
"Missing escaping of double-quote and backslash characters in the filename parameter when constructing the Content-Disposition header in FileAttachment."
Attack vector
An attacker who can control the filename parameter passed to `Context.FileAttachment` can inject double-quote characters to break out of the intended filename value in the `Content-Disposition` header. For example, a filename like `"setup.bat";x=.txt"` causes the header to be sent with `filename="setup.bat"`, making the downloaded file appear as `setup.bat` instead of the full malicious string. This can trick users into opening a file they believe is a harmless `.txt` file when it is actually a `.bat` script. No authentication is required if the application exposes a file-download endpoint that accepts user-supplied filenames.
Affected code
The vulnerability is in the `FileAttachment` method in `context.go`. When the filename is ASCII, the code directly concatenates the user-supplied filename into the `Content-Disposition` header without escaping special characters such as double quotes or backslashes. The patch introduces an `escapeQuotes` helper function and a `quoteEscaper` replacer to properly escape backslashes and double quotes before insertion into the header.
What the fix does
The patch adds a `quoteEscaper` using `strings.NewReplacer` that replaces backslashes with `\\` and double quotes with `\"`. A new `escapeQuotes` function applies this replacer to the filename string. In `FileAttachment`, the ASCII branch now wraps the filename with `escapeQuotes(filename)` instead of using the raw filename. This prevents an attacker from injecting double-quote characters to alter the `Content-Disposition` header structure. The test in `context_test.go` confirms that a malicious filename like `tampering_field.sh"; \"; dummy=.go` is properly escaped to `tampering_field.sh\"; \\\"; dummy=.go`.
Preconditions
- inputThe application must call Context.FileAttachment with a filename derived from untrusted user input (e.g., query parameter, form field, or header).
- inputThe filename must consist only of ASCII characters (non-ASCII filenames use a different code path and are not affected).
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.