From da3500284e35c85e5f8509cfd0646786e128cd91 Mon Sep 17 00:00:00 2001
From: Jack Cushman <jcushman@law.harvard.edu>
Date: Thu, 12 Dec 2024 21:32:45 -0500
Subject: [PATCH] fix filename validation for filenames containing '='

---
 src/nabit/lib/backends/url.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nabit/lib/backends/url.py b/src/nabit/lib/backends/url.py
index 90ffe45..8b9cfce 100644
--- a/src/nabit/lib/backends/url.py
+++ b/src/nabit/lib/backends/url.py
@@ -161,7 +161,7 @@ def validate_warc_headers(headers_path: Path, error, warn, success) -> None:
                 profile = record.rec_headers.get_header('WARC-Profile')
                 if profile.startswith('file-content'):  # pragma: no branch
                     # extract file path from header 'file-content; filename="..."'
-                    file_path = profile.split(';')[1].split('=')[1].strip('"')
+                    file_path = profile.split(';')[1].split('=', 1)[1].strip('"')
                     # normalize path to prevent directory traversal attacks
                     safe_path = os.path.normpath('/'+file_path).lstrip('/')
                     full_path = data_path / safe_path