Skip to content

Fix encoding for non-ASCII filenames in Content-Disposition header #58259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix encoding for non-ASCII filenames in Content-Disposition header #58259

wants to merge 1 commit into from
+16 −0

Conversation

mohithbunny
Copy link

Resolved incorrect encoding handling in Content-Disposition header

@mohithbunny
Update _http_outgoing.js
7aa22e5 
Resolved incorrect encoding handling in Content-Disposition header
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/http
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added http Issues or PRs related to the http subsystem. needs-ci PRs that need a full CI run. labels May 10, 2025
jasnell
jasnell reviewed May 12, 2025
View reviewed changes
lib/_http_outgoing.js
return unique;
}
function maybeEncodeFilenameHeader(value) {
const filenameMatch = value.match(/filename="(.+?)"/);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm reading this correctly it assumes that the value for the filename is always quoted. It's been a while since I've looked but I'm not sure if that's actually required by the relevant specs. RFC2183 where this is originally defined generally is quite careful about indicating when the value must be quoted and I don't recall anything there saying that filename must be a quoted string value.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing that out, @jasnell — you're absolutely right. The current implementation incorrectly assumes that the filename value is always quoted, which isn't guaranteed per RFC 2183. According to the spec, the filename parameter can be either a quoted-string or a token, so it's valid for it to appear without quotes.

I've updated the logic to handle both quoted and unquoted filename values using a more flexible regex:

-> const filenameMatch = value.match(/filename=(?:"([^"]+)"|([^;\s]+))/);
-> const filename = filenameMatch ? (filenameMatch[1] || filenameMatch[2]) : null;

Let me know if you think we should handle any additional edge cases. Thanks again!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-> const filenameMatch = value.match(/filename=(?:"([^"]+)"|([^;\s]+))/);
-> const filename = filenameMatch ? (filenameMatch[1] || filenameMatch[2]) : null;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell jasnell left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

http Issues or PRs related to the http subsystem. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mohithbunny @nodejs-github-bot @jasnell