rusackas opened a new pull request, #40632: URL: https://github.com/apache/superset/pull/40632
### SUMMARY The streaming CSV export path reads the export filename from `request.form` and uses it directly in the `Content-Disposition` response header. The generated-name fallback already runs its value through `secure_filename`, but the **user-supplied** path did not — an inconsistent filename-handling posture, with quotes/CRLF in the value relying solely on the framework's header validation. This applies `secure_filename` to the user-supplied filename in `_extract_export_params_from_request`, matching the existing fallback. If sanitization reduces the name to an empty string (e.g. an all-symbol name), it falls back to `None` so the existing generated-default path produces a safe name. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/charts/test_chart_data_api.py ``` New tests: a path-traversal/CRLF/quote filename is sanitized (no `/`, `\`, `"`, CR, LF, `..`); a normal `my_export.csv` is preserved; an all-special name falls back to `None`. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
