From 7e6b9a503726920bda2ea8a6a8e45f7e83f9351a Mon Sep 17 00:00:00 2001
From: Karolina Przerwa <karolina.m.przerwa@gmail.com>
Date: Wed, 1 Nov 2023 18:29:55 +0100
Subject: [PATCH] files: set url-escaped filename content disposition

---
 site/zenodo_rdm/files.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/site/zenodo_rdm/files.py b/site/zenodo_rdm/files.py
index b4725c28..3e760079 100644
--- a/site/zenodo_rdm/files.py
+++ b/site/zenodo_rdm/files.py
@@ -9,7 +9,7 @@
 
 import mimetypes
 import unicodedata
-from urllib.parse import urlsplit, urlunsplit
+from urllib.parse import quote, urlsplit, urlunsplit
 
 import requests
 from flask import current_app, make_response, request
@@ -104,15 +104,18 @@ def send_file(
                 try:
                     filenames = {"filename": filename.encode("latin-1")}
                 except UnicodeEncodeError:
-                    filenames = {"filename*": "UTF-8''%s" % url_quote(filename)}
+                    # safe = RFC 5987 attr-char
+                    quoted = quote(filename, safe="!#$&+-.^_`|~")
+
+                    filenames = {"filename*": "UTF-8''%s" % quoted}
                     encoded_filename = unicodedata.normalize("NFKD", filename).encode(
                         "latin-1", "ignore"
                     )
                     if encoded_filename:
                         filenames["filename"] = encoded_filename
-                response.headers.add("Content-Disposition", "attachment", **filenames)
+                response.headers.set("Content-Disposition", "attachment", **filenames)
             else:
-                response.headers.add("Content-Disposition", "inline")
+                response.headers.set("Content-Disposition", "inline")
 
             # Security-related headers for the download (from invenio-files-rest)
             response.headers["Content-Security-Policy"] = "default-src 'none';"