Re: [Django] #36023: Update content_disposition_header to handle control chars.

[Django]

#36023: Update content_disposition_header to handle control chars.
-------------------------------+--------------------------------------
     Reporter:  Alex Vandiver  |                    Owner:  (none)
         Type:  Bug            |                   Status:  new
    Component:  HTTP handling  |                  Version:  dev
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  1              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Changes (by Alex Vandiver):

 * resolution:  needsinfo =>
 * status:  closed => new

Comment:

 Headers cannot contain newline characters and other control characters.
 The current code passes them through unchanged, and filenames should not
 be assumed to be free from them.  For instance:


 {{{
 def index(request):
     filename = "foo\nbar.pdf"
     return HttpResponse(
         "Some PDF content",
         headers={"Content-Disposition": content_disposition_header(True,
 filename)},
     )
 }}}

 ...will produce:
 {{{
 Traceback (most recent call last):
   File "/srv/zulip-py3-venv/lib/python3.10/site-
 packages/django/core/handlers/exception.py", line 55, in inner
     response = get_response(request)
   File "/srv/zulip-py3-venv/lib/python3.10/site-
 packages/django/core/handlers/base.py", line 197, in _get_response
     response = wrapped_callback(request, *callback_args,
 **callback_kwargs)
   File "/home/zulipdev/newline-disposition/newlines/views.py", line 7, in
 index
     return HttpResponse(
   File "/srv/zulip-py3-venv/lib/python3.10/site-
 packages/django/http/response.py", line 374, in __init__
     super().__init__(*args, **kwargs)
   File "/srv/zulip-py3-venv/lib/python3.10/site-
 packages/django/http/response.py", line 115, in __init__
     self.headers = ResponseHeaders(headers)
   File "/srv/zulip-py3-venv/lib/python3.10/site-
 packages/django/http/response.py", line 41, in __init__
     self[header] = value
   File "/srv/zulip-py3-venv/lib/python3.10/site-
 packages/django/http/response.py", line 87, in __setitem__
     value = self._convert_to_charset(value, "latin-1", mime_encode=True)
   File "/srv/zulip-py3-venv/lib/python3.10/site-
 packages/django/http/response.py", line 61, in _convert_to_charset
     raise BadHeaderError(
 django.http.response.BadHeaderError: Header values can't contain newlines
 (got 'attachment; filename="foo\nbar.pdf"')
 }}}

 The PR switches that to correctly percent-encode them, so that they are
 can be passed as an HTTP header.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36023#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070193db12b27d-ac8e4564-5c75-4529-a38b-7c0be0fc1755-000000%40eu-central-1.amazonses.com.