Missing handling of quoted characters in Content-Disposition filename

[JornWildt]

I was trying to pass a filename containing quotes like this:

POST .../test/multipartformdata-file HTTP/1.1
Accept: text/plain
Content-Type: multipart/form-data; boundary=79d4cda6-ba2a-42b1-9577-af404780482e


--79d4cda6-ba2a-42b1-9577-af404780482e
Content-Disposition: form-data; name="DataFile"; filename="B\"all\"e.txt"

blah ... blah ... blah

But ContentDispositionHeader.ParseParameter() does not handle escape characters, so it does not work:

private KeyValuePair<string,string> ParseParameter(string fragment)
{
    var equalIndex = fragment.IndexOf('=');
    if (equalIndex == -1)
        throw new FormatException();
    var key = fragment.Substring(0, equalIndex).Trim();
    var beginningValue = fragment.IndexOf('"',equalIndex+1);
    if (beginningValue == -1)
        throw new FormatException(); 
    var endValue = fragment.IndexOf('"',beginningValue+1);
    if (endValue == -1)
        throw new FormatException();

    return new KeyValuePair<string, string>(key, fragment.Substring(beginningValue+1, endValue-beginningValue-1));
}

I am not absolute sure about the validity, but as I read the RFC's then Content-Disposition filename is a quoted-string as described in https://tools.ietf.org/html/rfc2616#section-2.2 (see also https://tools.ietf.org/html/rfc6266#section-4.3)

[serialseb]

Need to port over the tests from sina in the OR codebase, as sina itself never quite got implemented. For reference, test cases are here: http://test.greenbytes.de/tech/tc2231/

We'll try and get it fixed in preview 3

[holytshirt]

Had a quick look at this and it the regex we use to parse the Content Disposition header :/