Download content-disposition filename is not quoted
The download service does not quote or escape the content-disposition filename field. This means any filenames with special characters will not be given the correct filename by the web browser.
For example, downloading a file "My file.txt" will produce the response header:
The browser (at least Firefox) ignores everything after the space, so it just saves the file as "My".
I also managed to inject HTTP headers with this, by calling a file "test.pdf\
But I don't consider this to be a security vulnerability since it only works on the private Download link (The public Serve does not attempt to set content-disposition at all).
According to RFC 2183, it needs to be escaped with the quoting mechanism specified in RFC 2231 (which obsoletes 2184). I haven't found any way to do it (with a library) in Python, and people have said that browsers apparently don't all support 2184/2231. Maybe just drop the content-disposition header altogether?