Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not respecting quotes in headers #1397

Open
ghost opened this issue Dec 17, 2015 · 2 comments
Open

Not respecting quotes in headers #1397

ghost opened this issue Dec 17, 2015 · 2 comments
Labels
Projects

Comments

@ghost
Copy link

@ghost ghost commented Dec 17, 2015

Originally reported by: Shy Pike (Bitbucket: shypike, GitHub: shypike)


When a header contains a value between quotes and that value contains a semicolon
";", the header will not be parsed properly.

Example from a "Content-Disposition" header:

#!text

form-data; name="name"; filename="one;word.txt"

The cause is cherrypy/lib/httputil.py, line 148, function parse().

#!python

atoms = [x.strip() for x in elementstr.split(";") if x.strip()]

That code is too simple, it splits in the middle of the file name.


@ghost ghost added major bug engine labels Apr 30, 2016
@Safihre
Copy link
Contributor

@Safihre Safihre commented May 5, 2016

Circumvented that in SABnzbd in a little clumsy way:
sabnzbd/sabnzbd@69ce6e3

JB26 added a commit to JB26/cherrypy that referenced this issue Jun 5, 2016
JB26 added a commit to JB26/cherrypy that referenced this issue Jun 5, 2016
@JB26
Copy link
Contributor

@JB26 JB26 commented Jun 5, 2016

In case anyone else is wondering how double quotes in filenames (e.g. file"name.csv) are handled here are my findings.
Firefox escapes them like this \" which works fine with cherrypy.
Chrome escapes them using %22 which makes it impossible to differentiate between file"name.csv and file%22name.csv.
A discussion about this on w3: multipart/form-data filename encoding: unicode and special characters

jaraco added a commit that referenced this issue Jun 5, 2016
Issue #1397
Safihre referenced this issue in sabnzbd/sabnzbd Jun 5, 2016
Due to a bug in its header parsing, uploaded files could not contain semicolons.
CherryPy bug: 1397
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Bugs
Backlog
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.