Fix handling of unquoted values in Content-Disposition

fixes #244
pillarjs · Dec 18, 2021 · 645fa95 · 645fa95
1 parent 1b650bb
commit 645fa95
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 4 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+*.http binary
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Fix handling of unquoted values in `Content-Disposition`
   * deps: http-errors@~1.8.1
     - deps: [email protected]
 

diff --git a/index.js b/index.js
@@ -42,7 +42,9 @@ var Z = 122;
 var CONTENT_TYPE_RE = /^multipart\/(?:form-data|related)(?:;|$)/i;
 var CONTENT_TYPE_PARAM_RE = /;\s*([^=]+)=(?:"([^"]+)"|([^;]+))/gi;
 var FILE_EXT_RE = /(\.[_\-a-zA-Z0-9]{0,16})[\S\s]*/;
+var FILENAME_PARAM_RE = /\bfilename=(?:"(.*?)"|([!#$%&'*+.0-9A-Z^_`a-z|~-]+))($|; )/i
 var LAST_BOUNDARY_SUFFIX_LEN = 4; // --\r\n
+var NAME_PARAM_RE = /\bname=(?:"([^"]+)"|([!#$%&'*+.0-9A-Z^_`a-z|~-]+))/i
 
 exports.Form = Form;
 
@@ -458,8 +460,8 @@ Form.prototype.onParseHeaderEnd = function() {
 
   var m;
   if (this.headerField === 'content-disposition') {
-    if (m = this.headerValue.match(/\bname="([^"]+)"/i)) {
-      this.partName = m[1];
+    if (m = NAME_PARAM_RE.exec(this.headerValue)) {
+      this.partName = m[1] || m[2] || ''
     }
     this.partFilename = parseFilename(this.headerValue);
   } else if (this.headerField === 'content-transfer-encoding') {
@@ -795,7 +797,7 @@ function uploadPath(baseDir, filename) {
 }
 
 function parseFilename(headerValue) {
-  var m = headerValue.match(/\bfilename="(.*?)"($|; )/i);
+  var m = FILENAME_PARAM_RE.exec(headerValue)
   if (!m) {
     m = headerValue.match(/\bfilename\*=utf-8''(.*?)($|; )/i)
     if (m) {
@@ -805,7 +807,7 @@ function parseFilename(headerValue) {
     }
   }
 
-  var filename = m[1];
+  var filename = m[1] || m[2] || '';
   filename = filename.replace(/%22|\\"/g, '"');
   filename = filename.replace(/&#([\d]{4});/g, function(m, code) {
     return String.fromCharCode(code);

diff --git a/test/fixture/http/filename/unquoted.http b/test/fixture/http/filename/unquoted.http
@@ -0,0 +1,13 @@
+POST /upload HTTP/1.1
+Host: localhost:8080
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytyE4wkKlZ5CQJVTG
+Content-Length: 207
+
+------WebKitFormBoundarytyE4wkKlZ5CQJVTG
+Content-Disposition: form-data; name=upload; filename=foo_bar.txt
+Content-Type: text/plain
+
+I am a plain text file
+
+------WebKitFormBoundarytyE4wkKlZ5CQJVTG--
+
diff --git a/test/fixture/js/filename.js b/test/fixture/js/filename.js
@@ -24,3 +24,11 @@ module.exports['quotes.http'] = [{
   fixture: 'plain.txt',
   sha1: 'b31d07bac24ac32734de88b3687dddb10e976872'
 }]
+
+module.exports['unquoted.http'] = [{
+  type: 'file',
+  name: 'upload',
+  filename: 'foo_bar.txt',
+  fixture: 'plain.txt',
+  sha1: 'b31d07bac24ac32734de88b3687dddb10e976872'
+}]