Do RFC standards require the filename value for MIME attachment to be encapsulated in quotes?

会有一股神秘感。 提交于 2021-02-08 03:00:49

问题


I have two conflicting sections of code. One produces:

Content-Type: text/html; name=foo_foo2.blah
Content-Disposition: attachment; filename=foo_foo2.blah

Another produces:

Content-Type: text/html; name="foo_foo2.blah"
Content-Disposition: attachment; filename="foo_foo2.blah"

The one without quotes is resulting in unexpected behavior by a receiving application. Are quotes required?

In RFC 2183 I don't see an explicit requirement:

In the extended BNF notation of [RFC 822], the Content-Disposition
header field is defined as follows:

 disposition := "Content-Disposition" ":"
                disposition-type
                *(";" disposition-parm)

 disposition-type := "inline"
                   / "attachment"
                   / extension-token
                   ; values are not case-sensitive

 disposition-parm := filename-parm
                   / creation-date-parm
                   / modification-date-parm
                   / read-date-parm
                   / size-parm
                   / parameter

 filename-parm := "filename" "=" value

 creation-date-parm := "creation-date" "=" quoted-date-time

 modification-date-parm := "modification-date" "=" quoted-date-time

 read-date-parm := "read-date" "=" quoted-date-time

 size-parm := "size" "=" 1*DIGIT

 quoted-date-time := quoted-string
                  ; contents MUST be an RFC 822 `date-time'
                  ; numeric timezones (+HHMM or -HHMM) MUST be used

Perhaps I'm blind though. Can someone please confirm?


回答1:


Just below the BNF is this passage:

`Extension-token', `parameter', `tspecials' and `value' are defined according to [RFC 2045] (which references [RFC 822] in the definition of some of these tokens). `quoted-string' and `DIGIT' are defined in [RFC 822].

2045 has this definition in section 5.1 (which however describes Content-type:):

  value := token / quoted-string

 token := 1*<any (US-ASCII) CHAR except SPACE, CTLs,
             or tspecials>

 tspecials :=  "(" / ")" / "<" / ">" / "@" /
               "," / ";" / ":" / "\" / <">
               "/" / "[" / "]" / "?" / "="
               ; Must be in quoted-string,
               ; to use within parameter values

So a filename which is a token does not need to be quoted; but if it contains any of the tspecials (or control characters or whitespace), you need to quote it after all.

Just to specifically address the case of underscore, it is not a character which requires quoting according to the RFC (it's not control, whitespace, or enumerated as one of the tspecials), but the way things are in the wild, you are probably better off quoting everything just in case. (Shall we call this anti-Postel? Be unduly conervative about what you transmit, and don't be too liberal in what you think you can infer about obviously invalid input.)

As a bit of an aside, MIME filenames in email are in practice completely the Wild West; a lot of popular applications simply ignore RFC2231 and use RFC2047 encoding here instead, or no encoding, or completely their own ad hoc "I thought this might work and nobody has complained" concoctions.




回答2:


No, it is not required.

rfc2183 states:

`Extension-token', `parameter', `tspecials' and `value' are defined
according to [RFC 2045] (which references [RFC 822] in the definition
of some of these tokens).  `quoted-string' and `DIGIT' are defined in
[RFC 822].

and rfc2045 defines value as the following:

value := token / quoted-string

token := 1*<any (US-ASCII) CHAR except SPACE, CTLs,
            or tspecials>

tspecials :=  "(" / ")" / "<" / ">" / "@" /
              "," / ";" / ":" / "\" / <">
              "/" / "[" / "]" / "?" / "="
              ; Must be in quoted-string,
              ; to use within parameter values

This means that the filename parameter does not need to be quoted as long as it fits within the definition of a token.

That said, adding quotes around the filename parameter is probably a good way of increasing compatibility with existing software. As you've discovered, not all software implements these specifications properly, often making (incorrect) assumptions about what the format is.




回答3:


As an aside

From RFC2183

filename-parm := "filename" "=" value


token := 1*<any (US-ASCII) CHAR except SPACE, CTLs,
             or tspecials>

From RFC2045

value := token / quoted-string

tspecials :=  "(" / ")" / "<" / ">" / "@" /
                "," / ";" / ":" / "\" / <">
                "/" / "[" / "]" / "?" / "="
                ; Must be in quoted-string,
                ; to use within parameter values

From RFC822

SPACE       =  <ASCII SP, space>            ; (     40,      32.)
CTL         =  <any ASCII control           ; (  0- 37,  0.- 31.)
                character and DEL>          ; (    177,     127.)

Doesn't that mean that a header such as

Content-Disposition: attachment; filename=ja    r.jar

with a HTAB (horizontal tab) character smack in the middle of jar.jar is a valid header which doesn't require me to quote ja r.jar with double quotes?



来源:https://stackoverflow.com/questions/48347574/do-rfc-standards-require-the-filename-value-for-mime-attachment-to-be-encapsulat

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!