[PATCH]: Attachment download missing 'filename=' in header

[osimons <simon-code@…>]

Following [4946] an important piece of information for downloading attachments disappeared, and at least on IE7 the download/save dialogue is:

• only providing save option, and not the usual 'Open/Run' or 'Save'.
• missing file ending, so if you try to download 'mytool.exe' it will try to save only 'mytool' - having to add the ending manually, and regardless of file type.
• and, it will not recognize the file type, always listing it as 'Unknown File Type'.

Here is tested patch for 0.10-stable:

trac-0.10-stable/trac/attachment.py

@@ -561 +561 @@
                     # Force browser to download files instead of rendering
                     # them, since they might contain malicious code enabling 
                     # XSS attacks
-                    req.send_header('Content-Disposition', 'attachment')
+                    req.send_header('Content-Disposition', 'attachment; ' +
+                                    'filename=' + attachment.filename)
                 if format == 'txt':
                       mime_type = 'text/plain'
                 elif not mime_type:

In all other modules where there is download, this seems to be correct - if the file is placed in htdocs and served through Chrome, it provides correct information. Also trying to download files in original format from wiki, browser and so on.

Patch tested on IE, Firefox, Camino and Safari.

[cboos]

(digging in my mailbox)

(jonas)

(cmlenz)

(jonas' patch)
+ # XSS attacks
+ req.send_header('Content-Disposition', 'attachment')

Why's there no filename parameter for this one?

Since it's not really needed. Browsers fallback on the last segment of the url. And as far as I know all three major browsers expect non-ascii filenames to be escaped in different ways. So there is no good way to generate a valid filename parameter without looking at the user agent string.

So can you test your patch with a filename containing unicode characters, to check whether your patch still works or fails as jonas predicted?

Besides attachments, a similar change occurred in the browser module.

[osimons <simon-code@…>]

Have tested it - uploading a unicode filname from osx, and downloading on pc. The patch works in that it provides the open/run and save buttons, correct filetype and ending and so on.

However, the filename does get a bit garbled - some tiny changes moving between platforms, and more through the open/save dialogue. Without the patch the trac display and windows save filename are the same (only platform-garbling :-).

The same behavior is used at:

• /branches/0.10-stable/trac/mimeview/api.py@4946#L608
• /branches/0.10-stable/trac/ticket/report.py@4869#L510
• /branches/0.10-stable/trac/versioncontrol/web_ui/changeset.py@4207#L527
• /branches/0.10-stable/trac/versioncontrol/web_ui/changeset.py@4207#L589

All of these can have a unicode string as the filename, I suppose.

[osimons]

Wonder what happened to here. Using current current trunk and current IE7 this does not seem to be a problem any more. The Open/Run + Save dialogue looks just fine.

I don't actually know why, but anyway I'm happy to close this as 'worksforme' using latest versions.