Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bug: Content-Disposition Header Lacking "filename" When "filename*" Is Present

See original GitHub issue

Description:

When sending files to a server that does not understand “filename*” parameters inside the Content-Disposition header, the server will fail to find the file name because the “filename” parameter is not also included.

Justification:

According to RFC 6266, ideal header generators will include both a “filename” and a “filename*” parameter whenever the “filename*” form is required:

– Include a “filename*” parameter where the desired filename cannot be expressed faithfully using the “filename” form. Note that legacy user agents will not process this, and will fall back to using the “filename” parameter’s content.

– When a “filename*” parameter is sent, to also generate a “filename” parameter as a fallback for user agents that do not support the “filename*” form, if possible. This can be done by substituting characters with US-ASCII sequences (e.g., Unicode character point U+00E4 (LATIN SMALL LETTER A WITH DIARESIS) by “ae”). Note that this may not be possible in some locales.

– When a “filename” parameter is included as a fallback (as per above), “filename” should occur first, due to parsing problems in some existing implementations.

Why I Care:

This inconsistency caused a many-hour debugging session when trying to discover why file uploads to Google AppEngine blobstore stopped working when the requests library was upgraded (which bundles urllib3 with install). The eventual resolution was to urlencode the file name to a str before upload so that the “filename*” parameter was not added.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Issue Analytics

State:
Created 7 years ago
Reactions:1
Comments:11 (10 by maintainers)

Top GitHub Comments

4reactions

davidismcommented, Jun 9, 2021

I’m working on this.

2reactions

davidismcommented, Jun 10, 2021

Started doing some research. Created a Werkzeug application to echo the submitted Content-Disposition header.

import werkzeug

form_html = """\
<!doctype html>
<meta charset=utf-8>
<form method=post enctype=multipart/form-data>
<input type=file multiple name=file>
<input type=submit>
</form>
"""


@werkzeug.Request.application
def app(request: werkzeug.Request):
    if request.method == "POST":
        for f in request.files.getlist("file"):
            print(repr(f.filename))

        return werkzeug.Response(status=204)

    return werkzeug.Response(form_html, content_type="text/html")


werkzeug.run_simple("localhost", 5000, app)

When a file named “basic.txt” is submitted from Firefox or Chromium, it prints:

form-data; name="file"; filename="basic.txt"

When a file named “ski ⛷.txt” is submitted from Firefox or Chromium, it prints:

form-data; name="file"; filename="ski ⛷.txt"

Browsers are providing one filename, and do not escape non-ASCII characters.

Top Results From Across the Web

How to encode the filename parameter of Content-Disposition ...

I have found that modern browsers support rfc5987, which allows utf-8 encoding, ... Content-Disposition: attachment; filename=Naïve file.txt.

Inline Content-Disposition filename not used when passing ...

The filename is used properly when the disposition is set to "attachment". ... header present in the Save As dialog I presume (without...

attachment" to filename of a valid Content-Disposition header ...

I set this Content-Disposition header: Content-Disposition: attachment; filename="20150514_015108_to_015208.mp4" I do this using this code:

Use of the Content-Disposition Header ... - IETF Datatracker

Conformance and Error Handling; 4. Header Field Definition; 4.1. Grammar; 4.2. Disposition Type; 4.3. Disposition Parameter: 'Filename'; 4.4.

readfile - Manual - PHP

header ('Content-Disposition: attachment; filename="'.basename($file).'"' ); Some browsers may work without quotation, but for sure not Firefox and as ...