Open michaelweiser opened 2 years ago
cc @andreubotella
Chromium and WebKit have both had this behavior for many years, and they don't escape the percent sign. Given the relative rarity of such filenames, I suspect this hasn't been an issue in practice (although it seems like WebKit might consider this worth looking into).
@cdumez @mfreed7 @smaug----
Sounds like an edge case, but something which probably should and could be fixed.
This was reported to Chromium a few days ago, based on a bug filed against PHP.
I do agree that the current spec (and behavior) seems a bit odd here. It feels like we should add just one more explicit escape for filenames, from %
--> %25
. That would allow folks to distinguish between ".txt
and %22.txt
.
I suspect the compat story wouldn't be terrible in making this change, but there are no guarantees that it won't break something. I suppose we could add a use counter for finding %
in a filename.
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data
Doesn't that mean that no file (or field) name can ever legitimately contain character sequences that encode to byte sequences
%0A
,%0D
or%22
? (For most if not all encodings it'll be these character sequences exactly.)The sender will apply no escaping but the receiving end will unescape them into bytes 0x0A, 0x0D and 0x22 respectively. From there they'll not decode back into the original character sequences, i.e. the filename will end up corrupted. For example,
100%0Applejuice.pdf
would become100<linefeed>pplejuice.pdf
.Should escaping of the escape character (0x25, %) as
%25
be added here?