Uploaded image for project: 'Pentaho Reporting and Pentaho Report Designer'
  1. Pentaho Reporting and Pentaho Report Designer
  2. PRD-3824

Content-Disposition Header violates RFC spec



    • Type: Bug
    • Status: Closed
    • Severity: Medium
    • Resolution: Incomplete
    • Affects Version/s: 3.9.0 GA (4.5.0 GA Suite Release)
    • Fix Version/s: Backlog
    • Labels:
    • Environment:
      Chrome 16 - 18
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.
    • Browser:
      Google Chrome 10.x
    • Operating System/s:
      Mac OSX, Windows 7 (64-bit), Windows Server 2008 (32-bit), Windows Server 2008 R2 (64-bit)


      When viewing a report and attempting to output it as PDF whose name contains commas, the following error is thrown Chrome 16 - 18:

      "Error 349 (net::ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION): Multiple distinct Content-Disposition headers received. This is disallowed to protect against HTTP response splitting attacks."

      The relevant response headers received are:

      Content-Disposition: inline;filename=Location_Summary_-Applicant_City,_St,_Country.pdf
      Content-Type: application/pdf;charset=UTF-8
      Date Wed, 09 May 2012 16:55:32 GMT
      Server: Apache-Coyote/1.1
      Transfer-Encoding: chunked

      The spec specifically states:

      content-disposition = "Content-Disposition" ":"
      disposition-type *( ";" disposition-parm )
      disposition-type = "attachment" | disp-extension-token
      disposition-parm = filename-parm | disp-extension-parm
      filename-parm = "filename" "=" quoted-string
      disp-extension-token = token
      disp-extension-parm = token "=" ( token | quoted-string )

      Since the filename attribute of the Content-Disposition header is not a quoted string, Chrome parses it to be multiple dispositions and a violation of the spec. Chromium recently made a change attempting to enforce stricter adherence to the HTTP spec, but have since back-pedaled. This is an issue that may eventually be mitigated by that back-pedaling from Chromium developers, but Pentaho should still honor the nature of the spec in case the browser vendors come together and adhere to the spec in the future.

      The version I tested this issue on is Pentaho 4.5.0 Community Edition (4.5.0-stable) downloaded from SourceForge on May 7th, 2011. The engine version is: 3.9.0-GA.15546

      The Chromium bug can be found here: http://code.google.com/p/chromium/issues/detail?id=103618
      The relevant spec can be found here: http://www.ietf.org/rfc/rfc2616.txt




            jpearson Jesse Pearson
            jpearson Jesse Pearson
            0 Vote for this issue
            2 Start watching this issue