Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Escape quotes in filename in ContentDisposition.Builder when charset not specified

See original GitHub issue

The filename, when specified without a charset, is quoted but not checked for the presence of any unquoted " characters. We should check for those and turn into a quoted-pair.

Issue Analytics

State:
Created 4 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

rstoyanchevcommented, Jul 23, 2020

@RockyMM it’s worth pointing out that versions prior to 5.0 were never affected by CVE-2020-5398 and that is why they are not listed in the CVE report.

The affected ContentDisposition type which can be used for the “inline” and “attachment” types that a server can use to suggest a file name to a client did not exist prior to version 5.0. There were however methods for “Content-Disposition” in HttpHeaders but those are for “form-data” which is used to post data from a client to a server and hence a very different scenario. The change in #24580 was merely a minor improvement aimed at making the code consistent.

0reactions

RockyMMcommented, Jul 22, 2020

To all affected in 4.3.x, this was solved by #24580 in 4.3.27. Security researchers (not Pivotal), please update the CVE report. 🙏

Top Results From Across the Web

How to set 'Content-Disposition' and 'Filename' when using ...

I believe it deals with the file name sanitization. ContentDisposition contentDisposition = ContentDisposition.builder("inline") .filename("Filename") ...

ContentDisposition.Builder (Spring Framework 6.0.0 API)

Set the value of the filename parameter. The given filename will be formatted as quoted-string, as defined in RFC 2616, section 2.2, and...

RFC 6266 - Use of the Content-Disposition Header Field in ...

RFC 2616 defines the Content-Disposition response header field, but points out that it is not part of the HTTP/1.1 Standard. This specification takes...

HTTP headers and non-asci characters (Content-Disposition ...

The downloaded file name is specified by a filename parametr of Content-Disposition http header. There is no problem if you set only ASCII...

cfcontent - Adobe Support

To set the character encoding (character set) of generated output, ... file specified by the cfcontent tag using the filename specified by ...