Remove RFC 2047 encoding from Content-Disposition filename#36328
Open
tobifasc wants to merge 1 commit intospring-projects:mainfrom
Open
Remove RFC 2047 encoding from Content-Disposition filename#36328tobifasc wants to merge 1 commit intospring-projects:mainfrom
tobifasc wants to merge 1 commit intospring-projects:mainfrom
Conversation
Updates the Content-Disposition header creation logic to use only ISO-8859-1 characters for the fallback 'filename' parameter instead of RFC 2047 encoded strings. Non-compatible characters are replaced with '?'. This does not remove the ability to parse RFC 2047 encoded filenames. Signed-off-by: Tobias Fasching <tobias.fasching@outlook.com>
spring-projects-issues
added
the
status: waiting-for-triage
bclozel
added
the
in: web
bclozel
added
type: bug
shardt68
reviewed
Mar 11, 2026
| } | ||
| return PRINTABLE.get(b); | ||
| private static String toIso88591(String input) { | ||
| return new String(input.getBytes(StandardCharsets.ISO_8859_1)); |
There was a problem hiding this comment.
this would lead to Questionmarks "?" in the propose filename, which is not allowed in most filesystems,
I would rather propose an underline in place of non ascii characters
Suggetion:
// NFD decomposition splits characters like ä into base character 'a' + combining diacritic.
// Removing the combining diacritics (Unicode category Mn) gives a readable ASCII approximation
// (e.g. "Schöne Äpfel" → "Schone Apfel") without resorting to '?' which is a forbidden
// filename character on Windows.
String decomposed = java.text.Normalizer.normalize(input, java.text.Normalizer.Form.NFD);
return decomposed
.replaceAll("\p{InCombiningDiacriticalMarks}", "")
.replaceAll("[^\\x20-\\x7E]", "_");
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Appendix C.1 of RFC 2066 and Section 5 of RFC 2047 describe that an "encoded-word" (as described in RFC 2047) must not be used as parameter of a Content-Disposition header.
The current implementation in
ContentDispositiondoes however encode the fallbackfilenameparameter using the mechanism described in RFC 2047 (given that the charset is set to something other thanUS_ASCII).Related discussion: #29861
This PR updates the Content-Disposition header creation logic to use only ISO-8859-1 characters for the fallback
filenameparameter instead. Non-compatible characters are replaced with?. The "full" filename is still present in thefilename*parameter.This does not remove the ability to parse RFC 2047 encoded headers.