#36023: Update content_disposition_header to handle control chars.
-------------------------------+-----------------------------------------
Reporter: Alex Vandiver | Owner: Alex Vandiver
Type: Bug | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+-----------------------------------------
Comment (by Alex Vandiver):
We ran into this in the context of [https://zulip.com/ Zulip]; it stores
files uploaded by arbitrary web browsers, and attempts to serve the files
back to them with the same filenames they were uploaded as. In our
production deploy, we observe filenames with newlines on an infrequent but
non-zero frequency.
I agree that non-newline control characters is a bit more of a "did you
really mean that," but filtering them should be the job of the application
calling the function. The function should either produce the requested
output correctly, or throw an exception -- not corrupt the HTTP response.
Given that it's a SHOULD, not a MUST, I feel it's reasonable to produce
the requested output.
--
Ticket URL: <https://code.djangoproject.com/ticket/36023#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070193e0f4426d-cc036989-e93e-4f27-b74a-45c0441f8d4d-000000%40eu-central-1.amazonses.com.
