Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 23823
Status: rejected
Priority: 9/
Queue: CGI
People
Owner: MARKSTOS [...] cpan.org
Requestors: wbardwel [...] curl.com
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Dec 06 00:05:30 2006 wbardwel [...] curl.com - Ticket created
Subject: CGI.pm requires quotes for name= and filename= which is wrong
Date: Wed, 06 Dec 2006 00:05:12 -0500
To: bug-CGI.pm [...] rt.cpan.org
From: William Bardwell <bardwell [...] curl.com>
I am seeing it running 3.05, but the source for 3.25 looks the same. Content-Disposition: header parsing is requiring quotes around the values of parameters like name= and filename= which is not what the RFC calls for. Those can be quoted strings or tokens (aka strings that do not require quoting.) William Bardwell wbardwel@curl.com
  Wed Jul 22 21:00:33 2009 MARKSTOS [...] cpan.org - Taken
  Wed Jul 22 21:03:05 2009 MARKSTOS [...] cpan.org - Correspondence added
On Wed Dec 06 00:05:30 2006, wbardwel@curl.com wrote: Show quoted text
> I am seeing it running 3.05, but the source for 3.25 looks > the same. Content-Disposition: header parsing is requiring > quotes around the values of parameters like name= and filename= > which is not what the RFC calls for. Those can be quoted > strings or tokens (aka strings that do not require quoting.) > > William Bardwell > wbardwel@curl.com
Thanks for the report, William. To move this forward, I'd like to a link to the relevant RFC, as well as an automated test which triggers the bug. Mark
  Wed Jul 22 21:03:06 2009 The RT System itself - Status changed from 'new' to 'open'
  Wed Jul 22 21:03:44 2009 MARKSTOS [...] cpan.org - Subject changed from 'CGI.pm requires quotes for name= and filename= which is wrong' to 'Needs Reference, Test: quotes for name= and filename= should not be required. '
  Wed Jul 22 23:08:15 2009 bardwell [...] curl.com - Correspondence added
Subject: Re: [rt.cpan.org #23823] CGI.pm requires quotes for name= and filename= which is wrong
Date: Wed, 22 Jul 2009 23:07:52 -0400
To: bug-CGI.pm [...] rt.cpan.org
From: William Bardwell <bardwell [...] curl.com>
A Content-Disposition RFC is: http://www.ietf.org/rfc/rfc2183.txt which has the production for filename as: filename-parm := "filename" "=" value The production for value is in: http://www.ietf.org/rfc/rfc2045.txt value := token / quoted-string token := 1*<any (US-ASCII) CHAR except SPACE, CTLs, or tspecials> But all RFC 822 values in headers are defined that way. (Not sure where to find the production for the name parameter for Content-Disposition.) For a test case, take any existing test case with a Content-Disposition and remove the quotes around the value for name and filename.
  Thu Jul 23 09:12:20 2009 MARKSTOS [...] cpan.org - Subject changed from 'Needs Reference, Test: quotes for name= and filename= should not be required. ' to 'Needs Test: quotes for name= and filename= should not be required. '
  Mon Jan 21 21:12:35 2013 MARKSTOS [...] cpan.org - Subject changed from 'Needs Test: quotes for name= and filename= should not be required. ' to 'Bug: Needs Test and Patch: quotes for name= and filename= should not be required. (Not RFC-compliant)'
  Mon Jan 21 21:12:35 2013 MARKSTOS [...] cpan.org - Priority changed from (no value) to '9'
  Mon Jan 21 21:12:35 2013 MARKSTOS [...] cpan.org - Broken in 3.48 added
  Mon Jan 21 21:12:43 2013 MARKSTOS [...] cpan.org - Severity Important added
  Thu May 22 07:58:35 2014 LEEJO [...] cpan.org - Correspondence added
This issue has been copied to: https://github.com/leejo/CGI.pm/issues/49 please take all future correspondence there. This ticket will remain open but please do not reply here. This ticket will be closed when the github issue is dealt with.
  Fri May 23 14:28:02 2014 The RT System itself - Queue changed from CGI.pm to CGI
  Mon Jun 09 09:46:22 2014 LEEJO [...] cpan.org - Correspondence added
I'm rejecting this on the grounds that: 1. It is an eight year old bug report with little useful information regarding the "correct" fix. Any fixes made to the parsing and/or generation of the Content-Disposition header will probably cause significant breaks to existing code using these routines. 2. I cannot find the definition for name param in the Content-Disposition Header RFC. In fact, i cannot find the definition for it in any of the below so there is no clear advice on whether or not this param can be a token or must be quoted: - http://www.ietf.org/rfc/rfc2183.txt - http://www.ietf.org/rfc/rfc2045.txt - http://www.ietf.org/rfc/rfc1867.txt (the examples in this one seems to imply it should be quoted) - http://www.ietf.org/rfc/rfc2388.txt 3. The parsing of the filename param in the code already allows unquoted filenames, i have updated the test case to cover this - be aware that if the value is not quoted then it cannot contain any of the tspecials, so there are cases where it must be quoted. Thanks! Lee.
  Mon Jun 09 09:46:26 2014 LEEJO [...] cpan.org - Status changed from 'open' to 'rejected'