The previous state was that rack used a simplistic regular expression that didn’t match either the RFC or what browsers actually sent. What the new code does is first try to strictly follow RFC 2183. When that fails, it tries to follow what browsers actually do. And in this case, what browsers actually do is slap quotes around the file name, independent of whether the file name contains backslashes or quotes. A notable exception to this is recent versions of Chrome.
Revising the specification of how Content-Disposition works in HTTP is on my TODO list. Feedback would be appreciated. See
1) [link] (publication requested as Standards Track RFC)
Speaking of slapping quotes around things regardless of whether they have quotes or backslashes... I did that in the first version of some scala code I wrote a couple weeks ago, and then I actually tackled the problem properly. I’m pretty happy with the results. check out the grind() function in [link] . I guess I should beef up the doc comment...
In Ruby, I simply call inspect on the string to get the double quoted string.
Unfortunately in Python, repr prefers single quotes, but will switch to double quotes if the string in question has single quotes but no double quotes. Still, that’s generally fine for system calls and the like...
Safari and Firefox also gleefully upload files which contain an embedded newline, with newline in the content-disposition filename. I wrote up something about this ([link]). In the comments are some of the relevant issue numbers in Firefox, which were added to the tracker many years ago.
Opera, btw, refused to allow me to use evil filenames, but it wasn’t very clear about what the problem was.