filenames in multipart/form-data are not percent decoded

[TimWolla]

Description

For the following form:

<pre>
<?php
var_dump(PHP_VERSION);
var_dump($_FILES);
?>
</pre>

<form method="post" action="test.php" enctype="multipart/form-data">
<input type="file" name="some_file">

<button type="submit">Submit</button>
</form>

Uploading a file called ".txt in Firefox and Chrome

Resulted in this output:

string(5) "8.1.3"
array(1) {
  ["some_file"]=>
  array(6) {
    ["name"]=>
    string(7) "%22.txt"
    ["full_path"]=>
    string(7) "%22.txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
    string(14) "/tmp/phpWl5h5S"
    ["error"]=>
    int(0)
    ["size"]=>
    int(0)
  }
}

But I expected this output instead:

string(5) "8.1.3"
array(1) {
  ["some_file"]=>
  array(6) {
    ["name"]=>
    string(5) "".txt"
    ["full_path"]=>
    string(5) "".txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
    string(14) "/tmp/phpWl5h5S"
    ["error"]=>
    int(0)
    ["size"]=>
    int(0)
  }
}

---

Because I wasn't sure about the correct behavior myself I've checked with #curl on irc.libera.chat. In the replies I got the following references:

• https://daniel.haxx.se/blog/2021/11/13/fun-multipart-form-data-inconsistencies/
• Inconsistent/Incompatible handling of filename escaping in multipart/form-data compared to RFC 7578 and browsers curl/curl#7789

RFC 7578#2 specifies percent-encoding for use in HTTP

So nowadays special characters, specifically the double quote (") are percent-encoded instead of backslash-encoded and PHP should properly decode those, like it already does for backslash encoding.

PHP Version

8.1.3

Operating System

Docker on Ubuntu 20.04

[cmb69]

Windows user here, so I can't send files with names containing double-quotes, so just to clarify: do UAs send "foo.txt as %22foo.txt? Apparently, %22foo.txt is sent as %22foo.txt, so these file names couldn't be distinguished.

Side note: we probably need to make CURLOPT_MIME_OPTIONS and CURLMIMEOPT_FORMESCAPE available as soon as possible (and possibly default to CURLMIMEOPT_FORMESCAPE for BC reasons).

[TimWolla]

Chrome:

".txt:

%22.txt:

---

For Firefox the behavior is identical.

---

curl 7.68.0:

$ curl -F some_file=@"""\"""".txt 'localhost/test.php'
<pre>
string(5) "8.1.3"
array(1) {
  ["some_file"]=>
  array(6) {
    ["name"]=>
    string(5) "".txt"
    ["full_path"]=>
    string(5) "".txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
    string(14) "/tmp/phpTDrjGP"
    ["error"]=>
    int(0)
    ["size"]=>
    int(0)
  }
}
</pre>

<form method="post" action="test.php" enctype="multipart/form-data">
<input type="file" name="some_file">

<button type="submit">Submit</button>
</form>

$ curl -F some_file=@%22.txt 'localhost/test.php'
<pre>
string(5) "8.1.3"
array(1) {
  ["some_file"]=>
  array(6) {
    ["name"]=>
    string(7) "%22.txt"
    ["full_path"]=>
    string(7) "%22.txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
    string(14) "/tmp/phpOnB8wQ"
    ["error"]=>
    int(0)
    ["size"]=>
    int(0)
  }
}
</pre>

<form method="post" action="test.php" enctype="multipart/form-data">
<input type="file" name="some_file">

<button type="submit">Submit</button>
</form>

---

curl 7.82.0:

$ curl -F some_file=@"""\"""".txt 'localhost/test.php'
<pre>
string(5) "8.1.3"
array(1) {
  ["some_file"]=>
  array(6) {
    ["name"]=>
    string(7) "%22.txt"
    ["full_path"]=>
    string(7) "%22.txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
    string(14) "/tmp/phpCgZLmR"
    ["error"]=>
    int(0)
    ["size"]=>
    int(0)
  }
}
</pre>

<form method="post" action="test.php" enctype="multipart/form-data">
<input type="file" name="some_file">

<button type="submit">Submit</button>
</form>

curl -F some_file=@%22.txt 'localhost/test.php'
<pre>
string(5) "8.1.3"
array(1) {
  ["some_file"]=>
  array(6) {
    ["name"]=>
    string(7) "%22.txt"
    ["full_path"]=>
    string(7) "%22.txt"
    ["type"]=>
    string(10) "text/plain"
    ["tmp_name"]=>
    string(14) "/tmp/php7hBe1L"
    ["error"]=>
    int(0)
    ["size"]=>
    int(0)
  }
}
</pre>

<form method="post" action="test.php" enctype="multipart/form-data">
<input type="file" name="some_file">

<button type="submit">Submit</button>
</form>

[TimWolla]

Apparently, %22foo.txt is sent as %22foo.txt, so these file names couldn't be distinguished.

@cmb69 It appears you are correct here. I'll check with the #curl IRC once more.

[TimWolla]

Apparently, %22foo.txt is sent as %22foo.txt, so these file names couldn't be distinguished.

I've filed a Chrome bug for this: https://bugs.chromium.org/p/chromium/issues/detail?id=1307324

[cmb69]

Well, the WHATWG living "standard" currently claims:

For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

So these browsers appear to behave according to that standard (although that standardized behavior makes no sense).

[TimWolla]

although that standardized behavior makes no sense

Yeah, the browsers are probably in the best position to push for an updated standard, though.