Bug 131317

Version:            (using KDE KDE 3.5.2)
Installed from:    Gentoo Packages
Compiler:          gcc version 3.4.6 (Gentoo 3.4.6-r1, ssp-3.4.5-1.0, pie-8.7.9) 
OS:                Linux

I was working on some file upload code, and discovered that file names are not represented correctly in the Content-Disposition headers that Konqueror submits.

For example, when I try uploading a file called:

  foo;fred"

using the following HTML:

<form action="/upload" method="POST" enctype="multipart/form-data">
  <input type="file" name="file">
  <input type="submit">
</form>

I get the following multipart data:

------------oGmndDjo85k5RWhIOAH1UWeI5DuFLhS7vEuYPeMYj5b8ZJRxRgzvAbC
Content-Disposition: form-data; name="file"; filename="foo;fred""
Content-Type: application/x-zerosize


------------oGmndDjo85k5RWhIOAH1UWeI5DuFLhS7vEuYPeMYj5b8ZJRxRgzvAbC--

Notice that the filename field (and probably any subsequent field) is now difficult or impossible to parse reliably, and is not compliant with RFC-2183 (see page 2, 'NOTE ON PARAMETER VALUE LENGHTS').

(RFC-2183 references RFC-2045 and RFC-2184. See section 5.1 of RFC-2043 for the definitions of token and tspecials.)

Incidentally, Firefox 1.5.0.4 has the same problem. In Opera 9.00, you can select the file, but when the form is submitted it says it can't find the file, which suggests some ugly path handling issues in Opera. If you play around with quotes and semi-colons in Opera you'll find lots more bugs.