You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a multipart request contains a part with a quote or backslash in the name or filename, it should be escaped. ContentDisposition properly escapes them when building the header, but it does not unescape them when parsing it. See the following code:
Generated header: form-data; name="file"; filename="a\nice \"file\" with \" quotes.txt"
Original: a\nice "file" with \" quotes.txt
Parsed: a\nice \"file\" with \" quotes.txt
(also note that the last quote seems to be considered as already escaped so it does not get escaped – seems intentional from the original implementation in 956ffe6)
We noticed this issue because we were seeing \" from MultipartFile.getOriginalFilename(), whereas Servlet’s Part.getSubmittedFileName() returns the correct value.
The text was updated successfully, but these errors were encountered:
poutsma
changed the title
ContentDisposition does not unescape quotes and backslashes when parsing
ContentDisposition does not handle quoted pairs when parsing
Sep 7, 2022
Affects: 5.3.21
When a multipart request contains a part with a quote or backslash in the
name
orfilename
, it should be escaped.ContentDisposition
properly escapes them when building the header, but it does not unescape them when parsing it. See the following code:output:
(also note that the last quote seems to be considered as already escaped so it does not get escaped – seems intentional from the original implementation in 956ffe6)
The issue seems to come from
ContentDisposition.java#L354-L356
, which simply removes the outer quotes without unescaping:We noticed this issue because we were seeing
\"
fromMultipartFile.getOriginalFilename()
, whereas Servlet’sPart.getSubmittedFileName()
returns the correct value.The text was updated successfully, but these errors were encountered: