Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect quoting in Content-Disposition headers? #520

Closed
catlee opened this issue Sep 22, 2015 · 6 comments
Closed

Incorrect quoting in Content-Disposition headers? #520

catlee opened this issue Sep 22, 2015 · 6 comments
Labels
outdated
Milestone
0.19

Comments

@catlee
Copy link
Contributor

catlee commented Sep 22, 2015

I've having a hard time grokking the various RFCs, but I just came across a service that refused to parse Content-Disposition lines like this:

CONTENT-DISPOSITION: form-data; name=file; filename="upload.gpx"; filename*=utf-8''upload.gpx

But accepted this:

CONTENT-DISPOSITION: form-data; name="file"; filename="upload.gpx"; filename*=utf-8''upload.gpx

The only difference being the quoting of the name parameter. Is aiohttp doing the right thing here? Is there a way to force quoting to happen?
@kxepal
Copy link
Member

kxepal commented Sep 22, 2015

According the spec:

     content-disposition = "Content-Disposition" ":"
                           disposition-type *( ";" disposition-parm )
     disposition-type = "attachment" | disp-extension-token
     disposition-parm = filename-parm | disp-extension-parm
     filename-parm = "filename" "=" quoted-string
     disp-extension-token = token
     disp-extension-parm = token "=" ( token | quoted-string )

Where token is:

    token          = 1*<any CHAR except CTLs or separators>
    separators     = "(" | ")" | "<" | ">" | "@"
                   | "," | ";" | ":" | "\" | <">
                   | "/" | "[" | "]" | "?" | "="
                   | "{" | "}" | SP | HT

So name=file satisfies requirement to be disp-extension-parm since both name and file are valid tokens.

@kxepal
Copy link
Member

kxepal commented Sep 22, 2015

We can enforce quoting, however. It shouldn't cause any harm. But suddenly, you cannot enforce it without a patch.

With what service do you have such problem btw?

@catlee
Copy link
Contributor Author

catlee commented Sep 22, 2015

This is with Strava's upload API. I posted to their developer support forum as well:
https://groups.google.com/forum/#!topic/strava-api/onA_ANTsPY4

@asvetlov
Copy link
Member

BTW SimpleCookie starting from Python 3.5 enforces quoting for cookie names

asvetlov added a commit that referenced this issue Nov 23, 2015
@asvetlov
Merge pull request #641 from kxepal/issue/520
05bf227 
(#520) Always quote params for Content-Disposition
@asvetlov
Copy link
Member

Fixed by #641

@asvetlov asvetlov added this to the 0.19 milestone Nov 23, 2015
@lock
Copy link

lock bot commented Oct 29, 2019

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

@lock lock bot added the outdated label Oct 29, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated
Projects
None yet
Milestone
0.19
Development

No branches or pull requests
3 participants
@catlee @asvetlov @kxepal