New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not respecting quotes in headers #1397

Open
bb-migration opened this Issue Dec 17, 2015 · 2 comments

Comments

3 participants
@bb-migration

bb-migration commented Dec 17, 2015

Originally reported by: Shy Pike (Bitbucket: shypike, GitHub: shypike)


When a header contains a value between quotes and that value contains a semicolon
";", the header will not be parsed properly.

Example from a "Content-Disposition" header:

#!text

form-data; name="name"; filename="one;word.txt"

The cause is cherrypy/lib/httputil.py, line 148, function parse().

#!python

atoms = [x.strip() for x in elementstr.split(";") if x.strip()]

That code is too simple, it splits in the middle of the file name.


@Safihre

This comment has been minimized.

Show comment
Hide comment
@Safihre

Safihre May 5, 2016

Contributor

Circumvented that in SABnzbd in a little clumsy way:
sabnzbd/sabnzbd@69ce6e3

Contributor

Safihre commented May 5, 2016

Circumvented that in SABnzbd in a little clumsy way:
sabnzbd/sabnzbd@69ce6e3

JB26 added a commit to JB26/cherrypy that referenced this issue Jun 5, 2016

JB26 added a commit to JB26/cherrypy that referenced this issue Jun 5, 2016

@JB26

This comment has been minimized.

Show comment
Hide comment
@JB26

JB26 Jun 5, 2016

Contributor

In case anyone else is wondering how double quotes in filenames (e.g. file"name.csv) are handled here are my findings.
Firefox escapes them like this \" which works fine with cherrypy.
Chrome escapes them using %22 which makes it impossible to differentiate between file"name.csv and file%22name.csv.
A discussion about this on w3: multipart/form-data filename encoding: unicode and special characters

Contributor

JB26 commented Jun 5, 2016

In case anyone else is wondering how double quotes in filenames (e.g. file"name.csv) are handled here are my findings.
Firefox escapes them like this \" which works fine with cherrypy.
Chrome escapes them using %22 which makes it impossible to differentiate between file"name.csv and file%22name.csv.
A discussion about this on w3: multipart/form-data filename encoding: unicode and special characters

jaraco added a commit that referenced this issue Jun 5, 2016

Safihre referenced this issue in sabnzbd/sabnzbd Jun 5, 2016

Patch CherryPy 5.1.0: Fix CherryPy's header parsing bug.
Due to a bug in its header parsing, uploaded files could not contain semicolons.
CherryPy bug: 1397
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment