Menu
According to RFC, in multipart/form-data content-disposition header filename field receives as parameter HTTP quoted string - string between quites where character '\' can escape any other ascii character.
The problem is, web browsers don't do it.
IE6 sends:
Content-Disposition: form-data; name="file"; filename="z:\tmp\test.txt"
Instead of expected
Content-Disposition: form-data; name="file"; filename="z:\\tmp\\test.txt"
Which should be parsed as z:tmptest.txt according to rules instead of z:\tmp\test.txt.
Firefox, Konqueror and Chrome don't escape " characters for example:
Content-Disposition: form-data; name="file"; filename=""test".txt"
Instead of expected
Content-Disposition: form-data; name="file"; filename="\"test\".txt"
So... how would you suggest to deal with this issue?
Does Anybody have an idea?
536
Content-Disposition is an optional header and allows the sender to indicate a default archival disposition; a filename. The optional "filename" parameter provides for this. This header field definition is based almost verbatim on Experimental RFC 1806 by R. Troost and S.
In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.
The response from the server contained duplicate headers. This problem is generally the result of a misconfigured website or proxy. Only the website or proxy administrator can fix this issue. Error 349 (net::ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION): Multiple distinct Content-Disposition headers received.
multipart/form-data [RFC1867] The multipart/form-data content type is intended to allow information providers to express file upload requests uniformly, and to provide a MIME-compatible representation for file upload responses.
Though an old thread, adding the below java solution for whoever might be interested.
// import com.sun.xml.internal.messaging.saaj.packaging.mime.internet.*;
try {
ContentDisposition contentDisposition = new ContentDisposition("attachment; filename=\"myfile.log\"; filename*=UTF-8''myfile.log");
System.out.println(contentDisposition.getParameter("filename"));
} catch (ParseException e) {
e.printStackTrace();
}
Is there a reason that you need to parse this filename at all?
At least the one thing that's consistent is that the filename portion of the header ends with a double quote, so you just need to read in everything between filename=" and the final ".
Then you can probably treat any backslash other than \\, \" or \" as a literal backslash, unless you think it's particularly likely that users will be uploading filenames with tabs in them. :)
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
