Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ContentDisposition does not handle quoted pairs when parsing #28837

Closed
DidierLoiseau opened this issue Jul 18, 2022 · 1 comment
Closed

ContentDisposition does not handle quoted pairs when parsing #28837

DidierLoiseau opened this issue Jul 18, 2022 · 1 comment
Assignees
@poutsma
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Milestone
6.0.0-M6

Comments

@DidierLoiseau
Copy link

Affects: 5.3.21

When a multipart request contains a part with a quote or backslash in the name or filename, it should be escaped. ContentDisposition properly escapes them when building the header, but it does not unescape them when parsing it. See the following code:

ContentDisposition cd = ContentDisposition.builder("form-data").name("file").filename("a\\nice \"file\" with \\\" quotes.txt").build();
System.out.println("Generated header: " + cd);
System.out.println("Original: " + cd.getFilename());
ContentDisposition parsed = ContentDisposition.parse(cd.toString());
System.out.println("Parsed:   " + parsed.getFilename());

output:

Generated header: form-data; name="file"; filename="a\nice \"file\" with \" quotes.txt"
Original: a\nice "file" with \" quotes.txt
Parsed:   a\nice \"file\" with \" quotes.txt

(also note that the last quote seems to be considered as already escaped so it does not get escaped – seems intentional from the original implementation in 956ffe6)

The issue seems to come from ContentDisposition.java#L354-L356, which simply removes the outer quotes without unescaping:

String value = (part.startsWith("\"", eqIndex + 1) && part.endsWith("\"") ?
		part.substring(eqIndex + 2, part.length() - 1) :
		part.substring(eqIndex + 1));

We noticed this issue because we were seeing \" from MultipartFile.getOriginalFilename(), whereas Servlet’s Part.getSubmittedFileName() returns the correct value.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jul 18, 2022
@poutsma poutsma self-assigned this Jul 25, 2022
@poutsma poutsma added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Jul 25, 2022
@rstoyanchev rstoyanchev added this to the Triage Queue milestone Aug 1, 2022
@poutsma poutsma added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Sep 5, 2022
@poutsma poutsma modified the milestones: Triage Queue, 5.3.23, 6.0.0-M6 Sep 5, 2022
@poutsma
Copy link
Contributor

poutsma commented Sep 6, 2022

Fixing this will be a breaking change, so setting for 6.0.

@poutsma poutsma closed this as completed in 4cc91e4 Sep 7, 2022
@poutsma poutsma changed the title ContentDisposition does not unescape quotes and backslashes when parsing ContentDisposition does not handle quoted pairs when parsing Sep 7, 2022
@xg578962913 xg578962913 mentioned this issue Mar 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@poutsma poutsma

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Milestone
6.0.0-M6
Development

No branches or pull requests
4 participants
@poutsma @rstoyanchev @DidierLoiseau @spring-projects-issues