rusackas commented on code in PR #40658:
URL: https://github.com/apache/superset/pull/40658#discussion_r3338264199
##########
superset/views/base.py:
##########
@@ -141,7 +141,9 @@
def json_success(json_msg: str, status: int = 200) -> FlaskResponse:
- return Response(json_msg, status=status, mimetype="application/json")
+ return Response(
+ json_msg, status=status, content_type="application/json; charset=utf-8"
Review Comment:
The CodeQL alert links to code-scanning finding 2461, which tracks stack
trace flow in views/base.py. This is a pre-existing finding not introduced by
this PR (the PR modifies content_type/charset handling, not error propagation
in base.py). Will check the linked finding to confirm whether this PR triggered
it or it predates this change.
##########
superset/charts/data/api.py:
##########
@@ -747,7 +747,10 @@ def _create_streaming_csv_response(
# Create response with streaming headers
response = Response(
csv_generator_callable(), # Call the callable to get generator
- mimetype=f"text/csv; charset={encoding}",
+ # Use content_type (not mimetype) so the charset is set verbatim;
+ # passing a charset via mimetype makes Werkzeug append a second
+ # charset, producing a malformed doubled Content-Type header.
+ content_type=f"text/csv; charset={encoding}",
headers={
"Content-Disposition": f'attachment; filename="{filename}"',
Review Comment:
The PR already calls secure_filename(filename) at the extraction site (see
the hunk in charts/data/api.py at line 620). This comment appears to have been
posted before the most recent push that added that sanitization.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
