Closed Bug 670333 Opened 12 years ago Closed 12 years ago

Content-Disposition parser does not require presence of "=" in params

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla8

People

(Reporter: julian.reschke, Assigned: julian.reschke)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(1 file, 1 obsolete file)

test case and proposed patch 12 years ago Julian Reschke 4.49 KB, patch	bzbarsky : review+	Details \| Diff \| Splinter Review
proposed patch 12 years ago Julian Reschke 4.66 KB, patch		Details \| Diff \| Splinter Review

Julian Reschke

Assignee

Description

•

12 years ago

When parsing C-D header fields, the code apparently accepts params without no equals characters and tolerates whitespace as well.

Test case at <http://greenbytes.de/tech/tc2231/#attwithfn2231ws1>

Header field:

  Content-Disposition: attachment; filename *=UTF-8''foo-%c3%a4.html

Extracted filename:

  _=UTF-8''foo-%c3%a4.html

which appears to be the next element in the field, with "*" replaced by "_" in order to produce a safe filename.

Julian Reschke

Assignee

Updated

•

12 years ago

Blocks: 609667

Julian Reschke

Assignee

Comment 1

•

12 years ago

Attached patch test case and proposed patch (obsolete) — Details — Splinter Review

test case and mimimal patch; checking that we indeed saw a "=" between name and parameter, otherwise skipping

Attachment #545075 - Flags: review?(bzbarsky)

Boris Zbarsky [:bzbarsky]

Comment 2

•

12 years ago

Comment on attachment 545075 [details] [diff] [review]
test case and proposed patch

Can you also add a test that "filename = foo-A.html" still works?

Also, wouldn't it make sense to make "actual bug" and "sanity check" identical except for the space before '*'?

r=me with those changes.

Attachment #545075 - Flags: review?(bzbarsky) → review+

Julian Reschke

Assignee

Comment 3

•

12 years ago

Attached patch proposed patch — Details — Splinter Review

test cases (improved as suggested by Boris) and proposed patch

Attachment #545075 - Attachment is obsolete: true

Boris Zbarsky [:bzbarsky]

Updated

•

12 years ago

Assignee: nobody → julian.reschke

Keywords: checkin-needed

Boris Zbarsky [:bzbarsky]

Comment 4

•

12 years ago

Thanks!

Pushed http://hg.mozilla.org/integration/mozilla-inbound/rev/5a7b496ddbae

Flags: in-testsuite+

Keywords: checkin-needed

Target Milestone: --- → mozilla8

Mounir Lamouri (:mounir)

Comment 5

•

12 years ago

Merged:
http://hg.mozilla.org/mozilla-central/rev/5a7b496ddbae

Status: NEW → RESOLVED

Closed: 12 years ago

Resolution: --- → FIXED

Julian Reschke

Assignee

Updated

•

12 years ago

OS: Windows 7 → All

Hardware: x86 → All

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Content-Disposition parser does not require presence of "=" in params

Categories

(Core :: Networking, defect)

Tracking

()

People

(Reporter: julian.reschke, Assigned: julian.reschke)

References

(Blocks 1 open bug,
URL
)

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file, 1 obsolete file)

Description

Updated

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Updated