Multipart-Form-Data in akka-http, missing quotes in Content-Disposition field

[ktoso]

Issue by KrzyMucha
Wednesday Oct 12, 2016 at 08:05 GMT
Originally opened as akka/akka#21656

---

When we use akka-http for http request with following code:

Multipart
            .FormData(Multipart.FormData.BodyPart("file",
                HttpEntity.Strict(MediaTypes.`image/jpeg`, ByteString("test")), Map("filename" -> "somefile.jpeg"))).toEntity()

Then Http request is as follows

User-Agent: [akka-http/2.4.8]
Transfer-Encoding: [chunked]
Host: [localhost:8089]
Content-Type: [multipart/form-data; boundary=xWtacaNwjOWLKFExaR8fOv6Q; charset=UTF-8]

--xWtacaNwjOWLKFExaR8fOv6Q
Content-Type: image/jpeg
Content-Disposition: form-data; filename=somefile.jpeg; name=file

test
--xWtacaNwjOWLKFExaR8fOv6Q--

Parameters filename and file are without quotation marks. However following HTTP specification this params should be quoted. As result some servers (ex. "django" app) are not able to see attached files.

[ktoso]

Comment by ktoso
Wednesday Oct 12, 2016 at 08:10 GMT

---

Please open the issue on github.com/akka/akka-http instead, sinve the project has moved.

AFAIR there is no need to quote these according to the https://tools.ietf.org/html/rfc6266 spec

     filename-parm       = "filename" "=" value
                         | "filename*" "=" ext-value

       value                   = token | quoted-string

notice the | there.

Let's please continue in the right repo.

[ktoso]

Issue by KrzyMucha
Wednesday Oct 12, 2016 at 08:05 GMT
Originally opened as #387

---

Information about requirement I found here: https://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html, paragraph 19.5.1 Content-Disposition

filename-parm = "filename" "=" quoted-string
disp-extension-parm = token "=" ( token | quoted-string )

[ktoso]

Seems you're right, according to https://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1 @KrzyMucha.
Would you be able to contribute a fix for this? It's relatively simple, I'm happy to help if you need pointers to get started.

[KrzyMucha]

I can do fix

[jrudolph]

I'm pretty sure there should be a related ticket lurking somewhere.

[jrudolph]

This seems to be a duplicate of akka/akka#18788. There we concluded that RFC 2616 is not the most recent one and RFC 6266 also allows filename parameter values without quotes. Still, if this was only recently changed (2011) it might make sense to add extra quotes even if they are not strictly required by the latest spec.

[jrudolph]

Appendix A of RFC 6266 says:

   o  RFC 2616 only allows "quoted-string" for the filename parameter.
      This would be an exceptional parameter syntax, and also doesn't
      reflect actual use.

[jrudolph]

Also looking at this stackoverflow answer which seems to imply that browsers also seem to be very confused about what they generate. (Though I guess it would need to be re-checked with recent browsers.)

[KrzyMucha]

What I found is that other clients (I checked curl and dispatch.io) put values of parameters name and filename in quoted marks, like this:

Content-Disposition: form-data; name="file"; filename="6117776844.jpeg"

Should the fix enforce similar behaviour for akka-http?

[ktoso]

Seems that would be perhaps safer than now.
As the linked discussion said it "Browser compatibility is a mess." :-/

[KrzyMucha]

@ktoso I created pull request for this, however I made some mess before (first time on github doing this). Anyway doing my best :)

[ktoso]

Cool, thanks a lot Krzysztof :-)

[jrudolph]

Fixed by #471.