rusackas commented on code in PR #40632:
URL: https://github.com/apache/superset/pull/40632#discussion_r3345943735
##########
superset/charts/data/api.py:
##########
@@ -616,6 +616,13 @@ def _get_data_response(
def _extract_export_params_from_request(self) -> tuple[str | None, int |
None]:
"""Extract filename and expected_rows from request for streaming
exports."""
filename = request.form.get("filename")
+ if filename:
+ # Sanitize the user-supplied filename before it is used in the
+ # Content-Disposition header (consistent with the generated-name
+ # path). secure_filename may reduce a name consisting entirely of
+ # unsupported characters to an empty string, in which case fall
back
+ # to the generated default downstream.
+ filename = secure_filename(filename) or None
Review Comment:
Good catch — fixed. The same `secure_filename` guard is now applied to the
user-supplied filename in `SqlLabRestApi._create_streaming_csv_response`
(`superset/sqllab/api.py`), so the SQL Lab streaming CSV export no longer
passes a raw `request.form` filename into the Content-Disposition header. Added
unit tests covering sanitization, a normal name, and the empty-result fallback.
This PR now closes the export-filename gap on both the chart data API and SQL
Lab paths.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
