Closed Bug 345776 Opened 18 years ago Closed 18 years ago

Content-Disposition not compliant with RFC-2183 in multipart/form-data POSTs

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 136676

People

(Reporter: gavin, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.0.4) Gecko/20060707 Firefox/1.5.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.0.4) Gecko/20060707 Firefox/1.5.0.4

I was working on some file upload code, and discovered that file names are not represented correctly in the Content-Disposition headers that Firefox submits.
 
For example, when I try uploading a file called: 
 
   foo;fred" 
 
using the following HTML: 
 
<form action="/upload" method="POST" enctype="multipart/form-data"> 
  <input type="file" name="file"> 
  <input type="submit"> 
</form> 
 
I get the following multipart data: 

-----------------------------12146510031563822751430186916
Content-Disposition: form-data; name="file"; filename="foo;fred""
Content-Type: application/octet-stream


-----------------------------12146510031563822751430186916--
 
Notice that the filename field (and probably any subsequent field) is now difficult or impossible to parse reliably, and is not compliant with RFC-2183 (see page 2, 'NOTE ON PARAMETER VALUE LENGHTS'). 
 
(RFC-2183 references RFC-2045 and RFC-2184. See section 5.1 of RFC-2043 for the definitions of token and tspecials.) 
 
Incidentally, Konqueror in KDE 3.5.2 has the same problem (and, unsurprisingly, so does Safari). In Opera 9.00, you can select the file, but when the form is submitted it says it can't find the file, which suggests some ugly path handling issues in Opera. If you play around with quotes and semi-colons in Opera you'll find lots more bugs.

I have also posted this bug to the KDE Bugzilla as bug 131317 in Konqueror:

  http://bugs.kde.org/show_bug.cgi?id=131317


Reproducible: Always

Steps to Reproduce:
Use a form like this one to upload a file with semi-colons or double-quotes or something else that most people think can't or shouldn't be in a filename:

<form action="/upload" method="POST" enctype="multipart/form-data"> 
  <input type="file" name="file"> 
  <input type="submit"> 
</form> 

Submit the form and capture the exchange, perhaps with Ethereal.
Actual Results:  
...
Content-Disposition: form-data; name="file"; filename="ugly;but;valid;filename""
...

Expected Results:  
Encoded the filename value using the procedures in RFC-2184.
Assignee: nobody → form-submission
Component: General → HTML: Form Submission
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → 1.8 Branch

*** This bug has been marked as a duplicate of 136676 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Component: HTML: Form Submission → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.