Closed Bug 155949 Opened 22 years ago Closed 22 years ago

Not compliant to RFC 2231 in parsing http header Content-Disposition

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 162765

People

(Reporter: jshin1987, Assigned: bzbarsky)

Details

(Keywords: intl) 

Reference:

http://lxr.mozilla.org/seamonkey/source/xpfe/components/xfer/src/nsStreamTransfer.cpp#108

My reading of this code indicates that Mozilla is not compliant to 
RFC 2231 when parsing Content-Disposition header of HTTP response. 
Without any regard for decoding RFC 2231 encoded value of
filename parameter, Mozilla is blindly  using the value of 
filename parameter (whether it's a plain US-ASCII, a valid RFC 2231-encoded
international - meaning non-ASCII- string, or an ILLEGAL 8bit -
non-ASCII - string).

On the other hand, Mozilla mailnews header parsing code IS compliant to RFC 2231 
(see mimemoz2.cpp file). Something similar to what's been done in
mimemoz2.cpp has to be done for http header parsing as well. 
 
However, fixing this bug would have absolutely NO effect until
bug 62760 is fixed. As of Mozilla 1.0, 'filename' parameter
is completely ignored when Mozilla suggests a filename to
use for saving.
FYI, below is the quote from RFC 2231 (http://www.faqs.org/rfcs/rfc2231.html)
:


4.  Parameter Value Character Set and Language Information

   Some parameter values may need to be qualified with character set or
   language information.  It is clear that a distinguished parameter
   name is needed to identify when this information is present along
   with a specific syntax for the information in the value itself.  In
   addition, a lightweight encoding mechanism is needed to accommodate 8
   bit information in parameter values.

   Asterisks ("*") are reused to provide the indicator that language and
   character set information is present and encoding is being used. A
   single quote ("'") is used to delimit the character set and language
   information at the beginning of the parameter value. Percent signs
   ("%") are used as the encoding flag, which agrees with RFC 2047.

   Specifically, an asterisk at the end of a parameter name acts as an
   indicator that character set and language information may appear at
   the beginning of the parameter value. A single quote is used to
   separate the character set, language, and actual value information in
   the parameter value string, and an percent sign is used to flag
   octets encoded in hexadecimal.  For example:

        Content-Type: application/x-stuff;
         title*=us-ascii'en-us'This%20is%20%2A%2A%2Afun%2A%2A%2A

   Note that it is perfectly permissible to leave either the character
   set or language field blank.  Note also that the single quote
   delimiters MUST be present even when one of the field values is
   omitted.  This is done when either character set, language, or both
   are not relevant to the parameter value at hand.  This MUST NOT be
   done in order to indicate a default character set or language --
   parameter field definitions MUST NOT assign a default character set
   or language.

The relevant part in mimemoz2.cpp is at

http://lxr.mozilla.org/seamonkey/source/mailnews/mime/src/mimemoz2.cpp#369
Depends on: 62760
Keywords: intl
Summary: Not compliant to RFC 2231 in parsing http header → Not compliant to RFC 2231 in parsing http header Content-Disposition
I was wrong to say that this bug depends on 62760. 
Mozilla does understand and take care of filename parameter
when Content-Disposition has US-ASCII only filename parameter
without '*'. That is, the following works well. 

Content-Disposition: attachment; filename=file1.jpg

However, this does not work:

Content-Disposition: attachment; filename*=us-ascii'file1.jpg'
No longer depends on: 62760
RFC 2616(http 1.1) has the following to say about Content-Disposition header:
(http://www.faqs.org/rfcs/rfc2616.html)

------
19.5.1 Content-Disposition

   The Content-Disposition response-header field has been proposed as a
   means for the origin server to suggest a default filename if the user
   requests that the content is saved to a file. This usage is derived
   from the definition of Content-Disposition in RFC 1806 [35].

        content-disposition = "Content-Disposition" ":"
                              disposition-type *( ";" disposition-parm )
        disposition-type = "attachment" | disp-extension-token
        disposition-parm = filename-parm | disp-extension-parm
        filename-parm = "filename" "=" quoted-string
        disp-extension-token = token
        disp-extension-parm = token "=" ( token | quoted-string )

   An example is

        Content-Disposition: attachment; filename="fname.ext"

   The receiving user agent SHOULD NOT respect any directory path
   information present in the filename-parm parameter, which is the only
   parameter believed to apply to HTTP implementations at this time. The
   filename SHOULD be treated as a terminal component only.

   If this header is used in a response with the application/octet-
   stream content-type, the implied suggestion is that the user agent
   should not display the response, but directly enter a `save response
   as...' dialog.

   See section 15.5 for Content-Disposition security issues.
-------------

It does not refer to RFC 2231 but to RFC 1806/2183 where C-D was first defined.
However, it is obvious that
RFC 2231(which specified the way non-ASCII chars. are encoded in parameters
of MIME header) is applicable to C-D header in MIME in general
(because RFC 2231 explicitly updates RFC 2183), which in turn
implies that C-D header in http should follow RFC 2231 as well. 
mailnews/mime/src/mime/mimehdrs.cpp has two functions 
MimeHeaders_get_parameter() and MIME_StripContinuations()
that I need to use in xpfe/components/xfer/src/nsStreamTransfer.cpp,
but it's not clear how to do that without making it dependent on
the entire mailnews or mime module.
adding two in bug 162765 to CC list. 
IMHO, bug 162765 has to be made a duplicate of this. 

-> bz
Assignee: darin → bzbarsky
Dupping the other way, since this bug is littered with information that is
easily available in the RFC...

*** This bug has been marked as a duplicate of 162765 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Needless to say, please do _not_ paste chunks of the RFC into bug 162765.
Verified dupe.
Status: RESOLVED → VERIFIED
QA Contact: tever → junruh
You need to log in before you can comment on or make changes to this bug.