The "Content-disposition" header for each multi-part object is set to "form-data", including the file part. I need the "Content-disposition" header for the form-data parts to still say "form-data", but the "Content-disposition" header for the file part must say "attachment" and not "form-data".
I can specify any other custom header and it will add it, but it does not change the "Content-Disposition" header if I use the approach.
The short answer: Using python-requests , it's not possible, the way it is implemented now. The rf. Calling rf. Add only the default Content-Disposition: form-data if not already in self. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Is followed by a string containing the name of the HTML field in the form that the content of this subpart refers to.
Is followed by a string containing the original name of the file transmitted. The filename is always optional and must not be used blindly by the application: path information should be stripped, and conversion to the server file system rules should be done. This parameter provides mostly indicative information.
However, that pesky content-disposition was preventing us from gaining XSS. However, it uploaded fine and upon requesting the download I got the injected header returned:.
Interesting… My first go at bypassing content-dispostion was to inject another content-disposition header, hoping the browser would act on the first one:. This is due to the injected carriage-return and linefeed which causes the browser to interpret the second, original, content-disposition header as part of the HTTP body, and therefore ignored as a directive to tell the browser to download.
There is an npm package that does the job: content-disposition. If you are not working with multipart body then you can use this function. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. How to get file name from content-disposition Ask Question.
Asked 5 years ago. Active 1 month ago. Viewed k times. Improve this question. Paul P 1, 2 2 gold badges 5 5 silver badges 18 18 bronze badges. Arun Sivan Arun Sivan 1, 1 1 gold badge 9 9 silver badges 22 22 bronze badges. What does the console say? Why are you setting window. That will cause the browser to leave the page and just show that URL. The content-type should be whatever it is known to be, if you know it. RFC also mentions the possibility of extension tokens, and these days most browsers recognise inline to mean you do want the entity displayed if possible that is, if it's a type the browser knows how to display, otherwise it's got no choice in the matter.
This is of course the default behaviour anyway, but it means that you can include the filename part of the header, which browsers will use perhaps with some adjustment so file-extensions match local system norms for the content-type in question, perhaps not as the suggestion if the user tries to save.
Means "I don't know what the hell this is. Please save it as a file, preferably named picture. Means "This is a PNG image. Please display it unless you don't know how to display PNG images. Otherwise, or if the user chooses to save it, we recommend the name picture. Of those browsers that recognise inline some would always use it, while others would use it if the user had selected "save link as" but not if they'd selected "save" while viewing or at least IE used to be like that, it may have changed some years ago.
0コメント