Escape only double-quote but no other ASCII char in multipart uploaded filenames #51

BMorearty opened this Issue Jan 23, 2012 · 0 comments


None yet

1 participant


Please see related discussion and research in rack/rack#323.

RFC 1867 does not say to escape ASCII chars in filenames in multipart uploads using %XX (the URL-encoding scheme from RFC 1738). No browser I tried (see list in rack/rack#323) escapes ASCII filename characters in this way so Rack shouldn't either, with one exception: it could emulate either Firefox or Webkit by escaping only the double-quote character.

  • Firefox escapes double-quote as \".
  • Webkit escapes double-quote as %22.

All other ASCII characters--including single quote ('), percent (%), ampersand (&), question mark (?), backslash (\)--should be passed straight through without encoding.

Background: this bit me because rack-test escapes the entire filename using RFC 1738 encoding and rack unescapes the filename using the same method. I had a passing test in my app to verify that special characters were allowed in filenames and it was passing, but later I discovered that in a real browser with a % sign in the filename it raised an error in rack. The real browser did not escape the % sign but rack tried to unescape it. If rack-test were behaving more like a real browser and not escape percent signs, my test would have told me something was wrong.

The correct fix is for both rack-test and rack to be updated (which is why rack/rack#323 was filed along with this one).


cc @raggi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment