Not respecting quotes in headers

[ghost]

Originally reported by: Shy Pike (Bitbucket: shypike, GitHub: @shypike

---

When a header contains a value between quotes and that value contains a semicolon
";", the header will not be parsed properly.

Example from a "Content-Disposition" header:

#!text

form-data; name="name"; filename="one;word.txt"

The cause is cherrypy/lib/httputil.py, line 148, function parse().

#!python

atoms = [x.strip() for x in elementstr.split(";") if x.strip()]

That code is too simple, it splits in the middle of the file name.

---

• Bitbucket: https://bitbucket.org/cherrypy/cherrypy/issue/1397

[Safihre]

Circumvented that in SABnzbd in a little clumsy way:
sabnzbd/sabnzbd@69ce6e3

[JB26]

In case anyone else is wondering how double quotes in filenames (e.g. file"name.csv) are handled here are my findings.
Firefox escapes them like this \" which works fine with cherrypy.
Chrome escapes them using %22 which makes it impossible to differentiate between file"name.csv and file%22name.csv.
A discussion about this on w3: multipart/form-data filename encoding: unicode and special characters