Reject invalid percent-encoding in ISO-8859-1 ext-value#138
Open
spokodev wants to merge 2 commits into
Open
Conversation
decodeExtended() enforces strict percent-encoding for UTF-8 ext-values
(a "%" not followed by two hex digits makes decodeURIComponent throw, so
the value is rejected) but the ISO-8859-1 path kept the literal "%" and
returned a value. RFC 8187 3.2.1 defines pct-encoded = "%" HEXDIG HEXDIG
for both charsets, so a malformed "%" is non-conformant regardless of
charset.
Because a successfully decoded filename* overrides filename (RFC 6266
4.3), the lenient path let a malformed ISO-8859-1 filename* clobber a
valid filename fallback:
parse('attachment; filename="invoice.pdf"; '
+ "filename*=ISO-8859-1''report%2").parameters.filename
// before: 'report%2' after: 'invoice.pdf'
Make decodeHexEscapes return undefined on malformed percent-encoding,
matching the UTF-8 path, so an unprocessable ext-value is ignored.
blakeembrey
reviewed
Jun 23, 2026
blakeembrey
left a comment
Member
There was a problem hiding this comment.
LGTM, but can you correct the formatting so tests pass?
| // malformed percent-encoding: reject per RFC 8187 3.2.1, matching the | ||
| // UTF-8 path, so the unprocessable ext-value is ignored | ||
| return undefined; | ||
| } |
Member
There was a problem hiding this comment.
Prefer to return early, e.g. if (idx + 2 > str.length || !isHexDegit(...) || ...) return undefined first and avoid the need for an else.
Author
|
Done - the failing check was prettier on the new test line; reformatted it (single quote + wrapped to printWidth), no logic change. Tests pass now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
decodeExtended()handles a malformed percent-encoding (a%not followed by two hex digits) inconsistently between the two RFC 8187 charsets:decodeURIComponentthrows → the value is rejected (undefined).decodeHexEscapes) → keeps the literal%and returns a string.RFC 8187 §3.2.1 defines
value-chars = *( pct-encoded / attr-char )withpct-encoded = "%" HEXDIG HEXDIG, andattr-chardoes not include%, so a bare or short%is non-conformant for both charsets; the two paths should behave the same.Because a successfully decoded
filename*overridesfilename(RFC 6266 §4.3), the lenient ISO-8859-1 path lets a malformedfilename*clobber a validfilenamefallback:This asymmetry was introduced in #127, which tightened only the UTF-8 branch.
Fix
Make
decodeHexEscapesreturnundefinedon a malformed percent-encoding, mirroring the UTF-8 path.decodeExtendedalready propagatesundefined, so the unprocessable ext-value is ignored and thefilenamefallback is preserved. Valid percent-encoding and bare-ASCII ext-values are unaffected.Verification
filename*is ignored, and a validfilenamefallback is preserved. Both fail on the base branch and pass with the fix.