Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

send_file not inserting quote around filename #2827

Closed
Timmy93 opened this issue Jan 3, 2024 · 4 comments
Closed

send_file not inserting quote around filename #2827

Timmy93 opened this issue Jan 3, 2024 · 4 comments

Comments

@Timmy93
Copy link

Timmy93 commented Jan 3, 2024

Overview

The function send_file does not insert quotes around the filename in the Content-Disposition header when the sent file does not have spaces. (See here for MDN docs)
This causes browser (tested on Windows 11 - last version to date of Firefox and Chrome) to download the file with a blank name (respectively as undefined and undefined.txt)

To recap:

  • when test.pdf is sent with send_file the following Content-Disposition header is set to: attachment; filename=test.pdf -> Correct file is sent but with wrong filename
  • when test 1.pdf is sent with send_file the following Content-Disposition header is set to: attachment; filename="test 1.pdf" -> Works perfectly

Bug replication

Send a file without spaces in name:

from flask import Flask, send_file
app = Flask(__name__)

filepath = "test.pdf"
  if filepath:
    response = send_file(filepath, as_attachment=True)

Expected behavior:

  • when test.pdf is sent with send_file the following Content-Disposition header is set to: attachment; filename="test.pdf"
  • when test 1.pdf is sent with send_file the following Content-Disposition header is set to: attachment; filename="test 1.pdf"

Environment:

  • Python version: 3.11
  • Flask version: 3.0.0
  • Waitress: 2.1.2
@davidism davidism transferred this issue from pallets/flask Jan 4, 2024
@Sympatron
Copy link
Contributor

The problem comes from these lines in quote_header_value:

werkzeug/src/werkzeug/http.py

Lines 165 to 169 in d3dd65a

if allow_token:
token_chars = _token_chars
if token_chars.issuperset(value):
return value

This is used called from dump_options_header.

Do you know if this is true for all headers? If yes, it may be safer to default to allow_token = False.
If not dump_options_header, _options_header_vkw and Headers.set should accept allow_token and pass it on.

@Timmy93
Copy link
Author

Timmy93 commented Jan 25, 2024

Honestly I don't know, manually adding the quotes using a regex fixed the problem, but I imagine it is not the correct solution, it's just a workaround.

@davidism
Copy link
Member

davidism commented May 5, 2024
edited

I can't reproduce this issue. Sending a filename without spaces is downloaded with the correct filename by Firefox, Vivaldi (Chrome), and Safari. The Content-Disposition filename parameter can be either unquoted token chars, or a quoted string if needed, https://httpwg.org/specs/rfc6266.html#header.field.definition, both are valid.

@davidism davidism closed this as completed May 5, 2024
@Timmy93
Copy link
Author

Timmy93 commented May 8, 2024

The problem can be reproduced if you set your language to italian and you try firefox to download any file like "test.pdf"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidism @Timmy93 @Sympatron