Prefer filename over filename* in multipart parser#2398
Conversation
jeremyevans
left a comment
jeremyevans
left a comment
There was a problem hiding this comment.
Thank you for your report. I would go so far as to say we shouldn't consider filename* at all during multipart parsing.
When you mention "filename* should be stripped out when filename is present", can you be specific about what it should be stripped out from? I think the only place it would be would be present is in the :head entries of the multipart parts, and those are almost never accessed IME.
Doing some research, the MDN documentation was not specific about avoiding filename* for headers in multipart bodies at the time that #1762 was submitted (http://web.archive.org/web/20210730214530/https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition). The MDN documentation has been updated since to make it clear filename* should not be used during multipart parsing. With the current MDN documentation, the change would not have been merged originally.
You are correct, my suggestion can be disregarded. |
|
I don't have a strong opinion about this but I do wonder if this is the right thing to do. It seems inconsistent to me to parse it differently depending on context. I agree generally to follow the standards. So before merging, I'd like to hear from @chiwenchen (if possible) regarding whether this was actually used in practice. Because if we remove this, I don't see any alternative to encoding file names using UTF-8 etc. (unless it became acceptable to put encoded names into I'm slightly worried that this will silently break things. It may be better to issue a warning instead so we can confirm it's not in use? |
|
Okay, I did some more digging: From https://www.rfc-editor.org/rfc/rfc8187.html
So As this does not apply to mime bodies, such a field is not necessary, so we can use
So percent-encoded filename is acceptable, and "some commonly deployed systems" use UTF-8 directly. Therefore, I'm okay to merge this PR, but I don't think it's a good idea to backport it. We also need a changelog entry (probably marked as breaking). |
ioquatix
left a comment
ioquatix
left a comment
There was a problem hiding this comment.
Please update changelog thanks.
…eaders. The `filename*` parameter is for HTTP headers only and should not be used in multipart/form-data. When both `filename` and `filename*` are present in a multipart form Content-Disposition header, prefer the standard `filename` parameter.
4 participants
Rack multipart prefers
filename*overfilenamewhen both are present in aContent-Dispositionheader.But
filename*is for HTTP headers only, so the current behavior (proposed in #1762, merged in #1789) should be reversed. Rack should only look atfilename*iffilenameis not present. See the note in RFC 7578 §4.2 for background.For a future major release, suggest to return 400 when a request has
filename*in a multipart form, because practically all such requests would have malign intent. At minimum,filename*should be stripped out whenfilenameis present, to prevent security boundary mismatches.