From 2b0afc348e9e0ee5fd6aefb697454f60d0575c5b Mon Sep 17 00:00:00 2001
From: Nicholas Tindle <nicholas.tindle@agpt.co>
Date: Wed, 28 Jan 2026 02:10:30 -0600
Subject: [PATCH] fix(workspace): use sanitized filename for non-ASCII
 Content-Disposition

The RFC5987 encoding path was using the original filename instead of
the sanitized version, bypassing CR/LF/null byte removal.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../backend/backend/api/features/workspace/routes.py            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/autogpt_platform/backend/backend/api/features/workspace/routes.py b/autogpt_platform/backend/backend/api/features/workspace/routes.py
index 9e2ee54e59..4d02c1f850 100644
--- a/autogpt_platform/backend/backend/api/features/workspace/routes.py
+++ b/autogpt_platform/backend/backend/api/features/workspace/routes.py
@@ -33,7 +33,7 @@ def _sanitize_filename_for_header(filename: str) -> str:
         return f'attachment; filename="{sanitized}"'
     except UnicodeEncodeError:
         # Use RFC5987 encoding for UTF-8 filenames
-        encoded = quote(filename, safe="")
+        encoded = quote(sanitized, safe="")
         return f"attachment; filename*=UTF-8''{encoded}"