Skip to content

Commit

Permalink
fix: quotes in content-disposition header
Browse files Browse the repository at this point in the history
Replaces the quotes by actually encoding the filename in the dav `Content-Disposition` header. The value of the `filename*` parameter must not be surrounded by any quotes, but rather be encoded in the first place. See RFC-6266 for more details.

The quotes caused an issue where certain browsers would decode the quotes and falsely prepend them to the filename.
  • Loading branch information
JammingBen committed Jul 3, 2024
1 parent d599d88 commit 6f42cd2
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Bugfix: Quotes in dav Content-Disposition header

We've fixed the the quotes in the dav `Content-Disposition` header. They caused an issue where certain browsers would decode the quotes and falsely prepend them to the filename.

https://github.com/cs3org/reva/pull/4748
https://github.com/owncloud/web/issues/11031
3 changes: 2 additions & 1 deletion internal/http/services/owncloud/ocdav/net/builders.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
package net

import (
"net/url"
"time"

cs3types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
Expand All @@ -27,7 +28,7 @@ import (

// ContentDispositionAttachment builds a ContentDisposition Attachment header with various filename encodings
func ContentDispositionAttachment(filename string) string {
return "attachment; filename*=UTF-8''\"" + filename + "\"; filename=\"" + filename + "\""
return "attachment; filename*=UTF-8''" + url.QueryEscape(filename) + "; filename=\"" + filename + "\""
}

// RFC1123Z formats a CS3 Timestamp to be used in HTTP headers like Last-Modified
Expand Down
5 changes: 5 additions & 0 deletions tests/acceptance/expected-failures-on-OCIS-storage.md
Original file line number Diff line number Diff line change
Expand Up @@ -267,5 +267,10 @@ _The below features have been added after I last categorized them. AFAICT they a
- [coreApiWebdavProperties/createFileFolder.feature:236](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavProperties/createFileFolder.feature#L236)
- [coreApiWebdavProperties/createFileFolder.feature:237](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavProperties/createFileFolder.feature#L237)

### [Fix Content-Disposition header for download requests](https://github.com/cs3org/reva/pull/4748)

- [coreApiVersions/fileVersions.feature:158](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L158)
- [coreApiVersions/fileVersions.feature:176](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L176)

- Note: always have an empty line at the end of this file.
The bash script that processes this file may not process a scenario reference on the last line.

0 comments on commit 6f42cd2

Please sign in to comment.