Parsing entry names and filenames #1
Description
The HTML spec, as of whatwg/html#6282, specifies that when serializing multipart/form-data payloads, the '\n', '\r' and '\b' characters in names and filenames must be encoded as b"%0A", b"%0D" and b"%22", respectively. This was changed to match Chromium and WebKit's behavior, and Firefox is in the process of implementing this change (Gecko bug 1686765). Note that a '%' character doesn't get replaced by anything, which makes the b"%0A", b"%0D" and b"%22" sequences in the output ambiguous.
Given that, you might expect at least Chromium and WebKit to decode those escapes sequences when parsing multipart/form-data names and filenames. But as it turns out, every implementation leaves those escapes, and any other percent-encodes for that matter, as is.
There is another issue I noticed when parsing names and filenames, and it's related to Firefox's still current behavior when encoding (which will be changed in bug 1686765). Rather than percent-decoding, Gecko instead escaped '"' quotes by prepending a '\\' backslash (without escaping backslashes themselves). Since the value of the name and filename parameters are MIME quoted-strings, it makes sense to support that escape when parsing, but that would conflict with the serialization as currently spec'd.
Furthermore, when combined with other parsing bugs, we have all three implementations successfully parsing the following Content-Disposition header in different ways:
Content-Disposition: form-data; name="test1\"; filename="; filename="test2"
| Name | Filename | |
|---|---|---|
| Gecko | test1\ |
test2 |
| Chromium | test1"; filename= |
test2 |
| WebKit | test1\ |
; filename= |
If these behaviors turn out to be required for web compatibility, then it would mean that the multipart/form-data parser we're specifying would have to be specific to Body.prototype.formData() and shouldn't be used for anything else, including new APIs or server implementations. Note that the multipart/form-data parser in Chrome's implementation of the chrome.webRequest.onListener extension API has neither of those problems.