Re: Unable to get filename with quotes after upload?

There it is, the full filename in all its glory. But: Am I really supposed to parse the Content-Disposition header? I am not even sure if all browser/OS combinations reliably set this header...

Um, absolutely not :) param('upload_field') returns an object, use it as a filehandle its a filehandle, use it as a string is the filename from content-disposition header

You can also use ->asString or ''. param('upload_field')

Comment on Re: Unable to get filename with quotes after upload? Select or Download Code

Replies are listed 'Best First'.
Re^2: Unable to get filename with quotes after upload? by Anonymous Monk on Jan 16, 2012 at 14:39 UTC
I see the problem now It is a bug in CGI # See RFC 1867, 2183, 2045 # NB: File content will be loaded into memory should # content-disposition parsing fail. my ($filename) = $header{'Content-Disposition'} =~/ filename=(("[^"]")\|([a-z\d!\#'\\+,\.^_\`\{\}\ +\|\~]))/i; $filename \|\|= ''; # quench uninit variable warning $filename =~ s/^"([^"])"$/$1/; [download] It is a bug in CGI::Simple `my ( $param ) = $unfold =~ m/form-data;\s+name="?([^\";])"?/; my ( $filename ) = $unfold =~ m/name="?\Q$param\E"?;\s+filename="?([^\"])"?/;` [download] Example quoted string request `my $VAR1 = "POST http://localhost/cgi-bin/upload_quotes.pl\nContent-Le +ngth: 138\nContent-Type:". " multipart/form-data; boundary=xYzZY\n\n--xYzZY\r\nContent-Di +sposition: form". "-data; name=\"file\"; filename=\"stupid \\\"quoted\\\" filena +me.txt\"\r\n-Content:". " stupid content\r\n\r\n\r\n--xYzZY--\r\n";` [download] I'd have suggested a regex, I've seen one many times, but I'm not up on the rfcs http://tools.ietf.org/html/rfc1521 `value := token / quoted-string token := 1<any (ASCII) CHAR except SPACE, CTLs, or tspecials> tspecials := "(" / ")" / "<" / ">" / "@" / "," / ";" / ":" / "\" / <"> / "/" / "[" / "]" / "?" / "=" ; Must be in quoted-string, ; to use within parameter values` [download] http://tools.ietf.org/html/rfc2822#section-3.2.5 FWS = ([WSP CRLF] 1WSP) / ; Folding white space obs-FWS ctext = NO-WS-CTL / ; Non white space controls %d33-39 / ; The rest of the US-ASCII %d42-91 / ; characters not including "( +", %d93-126 ; ")", or "\" ccontent = ctext / quoted-pair / comment comment = "(" ([FWS] ccontent) [FWS] ")" CFWS = ([FWS] comment) (([FWS] comment) / FWS) qtext = NO-WS-CTL / ; Non white space controls %d33 / ; The rest of the US-ASCII %d35-91 / ; characters not including "\ +" %d93-126 ; or the quote character qcontent = qtext / quoted-pair quoted-string = [CFWS] DQUOTE ([FWS] qcontent) [FWS] DQUOTE [download]	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: Unable to get filename with quotes after upload?
by Anonymous Monk on Jan 16, 2012 at 14:39 UTC

I see the problem now

It is a bug in CGI

        # See RFC 1867, 2183, 2045
        # NB: File content will be loaded into memory should
        # content-disposition parsing fail.
        my ($filename) = $header{'Content-Disposition'}
                   =~/ filename=(("[^"]*")|([a-z\d!\#'\*\+,\.^_\`\{\}\
+|\~]*))/i;

    $filename ||= ''; # quench uninit variable warning

        $filename =~ s/^"([^"]*)"$/$1/;
[download]

It is a bug in CGI::Simple

my ( $param ) = $unfold =~ m/form-data;\s+name="?([^\";]*)"?/;
      my ( $filename )
       = $unfold =~ m/name="?\Q$param\E"?;\s+filename="?([^\"]*)"?/;
[download]

Example quoted string request

my $VAR1 = "POST http://localhost/cgi-bin/upload_quotes.pl\nContent-Le
+ngth: 138\nContent-Type:".
        " multipart/form-data; boundary=xYzZY\n\n--xYzZY\r\nContent-Di
+sposition: form".
        "-data; name=\"file\"; filename=\"stupid \\\"quoted\\\" filena
+me.txt\"\r\n-Content:".
        " stupid content\r\n\r\n\r\n--xYzZY--\r\n";
[download]

I'd have suggested a regex, I've seen one many times, but I'm not up on the rfcs

http://tools.ietf.org/html/rfc1521

value := token / quoted-string
token  :=  1*<any (ASCII) CHAR except SPACE, CTLs,
                   or tspecials>

     tspecials :=  "(" / ")" / "<" / ">" / "@"
                /  "," / ";" / ":" / "\" / <">
                /  "/" / "[" / "]" / "?" / "="
               ; Must be in quoted-string,
               ; to use within parameter values
[download]

http://tools.ietf.org/html/rfc2822#section-3.2.5

FWS             =       ([*WSP CRLF] 1*WSP) /   ; Folding white space
                        obs-FWS

ctext           =       NO-WS-CTL /     ; Non white space controls

                        %d33-39 /       ; The rest of the US-ASCII
                        %d42-91 /       ;  characters not including "(
+",
                        %d93-126        ;  ")", or "\"

ccontent        =       ctext / quoted-pair / comment

comment         =       "(" *([FWS] ccontent) [FWS] ")"

CFWS            =       *([FWS] comment) (([FWS] comment) / FWS)



qtext           =       NO-WS-CTL /     ; Non white space controls
 
                        %d33 /          ; The rest of the US-ASCII
                        %d35-91 /       ;  characters not including "\
+"
                        %d93-126        ;  or the quote character
 
qcontent        =       qtext / quoted-pair
 
quoted-string   =       [CFWS]
                        DQUOTE *([FWS] qcontent) [FWS] DQUOTE
[download]

[reply]
[d/l]
[select]