starrify
commented
2 months ago Sorry I forgot to mention that this patch does introduce a new type of mishandling on semicolons. With this patch, the below payload
content-disposition: attachment; filename="foo;bar"would result in foo being the filename, not foo;bar. This is due to the lack of handling quoted strings here.
Despite this, I'd assume that this patch still beneficial overall, since it's considered less common that a web server indeed includes a semicolon as part of a filename than that an additional filename* parameter appears.
Fixes #429.
This not mostly ideal (RFC 6266 prefers
filename*if present) yet may be considered good enough if we don't want to introdue UTF-8 decoding here.