[Dspace-devel] [DuraSpace JIRA] (DS-1422) Duplicate Headers when bitstream has a comma in the title (Chrome)

2 views
Skip to first unread message

Jonathan Blood (DuraSpace JIRA)

unread,
Aug 20, 2015, 12:46:39 PM8/20/15
to dspace...@lists.sourceforge.net

[ https://jira.duraspace.org/browse/DS-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27749#comment-27749 ]

Jonathan Blood commented on DS-1422:
------------------------------------

Hi Margaret,

The solution I mentioned in the comment above (surrounding the name of the file in quotes) solved the issue.
So for example:
response.setHeader("Content-Disposition", "attachment;filename=" + name);
to
response.setHeader("Content-Disposition", "attachment;filename=\"" + name + "\"");

This should be changed throughout the Dspace application. However to resolve it quickly for file downloads I just made the change in dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/cocoon/BitstreamReader.java

Hope this helps,
Jonathan

> Duplicate Headers when bitstream has a comma in the title (Chrome)
> -------------------------------------------------------------------
>
> Key: DS-1422
> URL: https://jira.duraspace.org/browse/DS-1422
> Project: DSpace
> Issue Type: Bug
> Components: JSPUI, XMLUI
> Affects Versions: 1.6.0, 1.8.0, 3.0
> Reporter: Jonathan Blood
> Priority: Major
> Labels: has-patch
>
> So the error:
> Duplicate headers received from server
> The response from the server contained duplicate headers. This problem is generally the result of a misconfigured website or proxy. Only the website or proxy administrator can fix this issue.
> Error 349 (net::ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION): Multiple distinct Content-Disposition headers received. This is disallowed to protect against HTTP response splitting attacks.
> How to reproduce this error:
> The error only happens on Chrome.
> On XMLUI or JSPUI.
> - Upload a file that contains a comma in the title.
> - Go to the item view page for item.
> - On this page it should list the bitstreams. Download the bitstream with the comma in the title.
> - This should produce the above error.
> I think you need to ensure that the file is one that will be downloaded and not one viewed in the browser for the error to occur.
> The affected versions I listed are of the versions I've tested. But I'd assume this is an issue with all of them.
> Does anyone have a fix for this issue?
> I've noticed this problem on other software such as http://tracker.moodle.org/browse/MDL-32889
> I've attempted the fix that was applied to Moodle on Dspace. i.e. enclosing the filename in quotes
> such as:
> response.setHeader("Content-Disposition", "attachment;filename=" +'"' + name + '"');

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Margaret Vail (DuraSpace JIRA)

unread,
Aug 20, 2015, 12:46:40 PM8/20/15
to dspace...@lists.sourceforge.net

[ https://jira.duraspace.org/browse/DS-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27750#comment-27750 ]

Margaret Vail commented on DS-1422:
-----------------------------------

Thanks Jonathan!

Jonathan Blood (DuraSpace JIRA)

unread,
Aug 20, 2015, 1:16:23 PM8/20/15
to dspace...@lists.sourceforge.net

[ https://jira.duraspace.org/browse/DS-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27250#comment-27250 ]

Jonathan Blood commented on DS-1422:
------------------------------------

I seemed to have resolved the issue for JSPUI, still working on xmlui and i'll upload a patch with the changes I've made.
Enclosing quotes around the filename was the solution for resolving the issue with JSPUI.
So changes looked like:
response.setHeader("Content-Disposition", "attachment;filename=" + name);
to
response.setHeader("Content-Disposition", "attachment;filename=\"" + name + "\"");

> Duplicate Headers when bitstream has a comma in the title. (Chrome)
> --------------------------------------------------------------------
>
> Key: DS-1422
> URL: https://jira.duraspace.org/browse/DS-1422
> Project: DSpace
> Issue Type: Bug
> Components: JSPUI, XMLUI
> Affects Versions: 1.6.0, 1.8.0, 3.0
> Reporter: Jonathan Blood
> Priority: Major
>

Ivan Masár (DuraSpace JIRA)

unread,
Aug 20, 2015, 1:18:15 PM8/20/15
to dspace...@lists.sourceforge.net

[ https://jira.duraspace.org/browse/DS-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ivan Masár updated DS-1422:
---------------------------

Summary: Duplicate Headers when bitstream has a comma in the title (Chrome) (was: Duplicate Headers when bitstream has a comma in the title. (Chrome) )

> Duplicate Headers when bitstream has a comma in the title (Chrome)
> -------------------------------------------------------------------
>
> Key: DS-1422
> URL: https://jira.duraspace.org/browse/DS-1422
> Project: DSpace
> Issue Type: Bug
> Components: JSPUI, XMLUI
> Affects Versions: 1.6.0, 1.8.0, 3.0
> Reporter: Jonathan Blood
> Priority: Major
> Labels: has-patch

Ivan Masár (DuraSpace JIRA)

unread,
Aug 20, 2015, 1:24:53 PM8/20/15
to dspace...@lists.sourceforge.net

[ https://jira.duraspace.org/browse/DS-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ivan Masár updated DS-1422:
---------------------------

Labels: has-patch (was: )

Margaret Vail (DuraSpace JIRA)

unread,
Aug 20, 2015, 1:27:34 PM8/20/15
to dspace...@lists.sourceforge.net

[ https://jira.duraspace.org/browse/DS-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=27747#comment-27747 ]

Margaret Vail commented on DS-1422:
-----------------------------------

Hi Jonathan,

I'm having the same problem and we are using the XMLUI interface. I was wondering if you had any luck finding a solution.

Thanks,

Margaret

Samuel Ottenhoff (DuraSpace JIRA)

unread,
Aug 20, 2015, 2:09:30 PM8/20/15
to dspace...@lists.sourceforge.net
Samuel Ottenhoff commented on Bug DS-1422

Ivan Masár (DuraSpace JIRA)

unread,
Aug 20, 2015, 2:11:03 PM8/20/15
to dspace...@lists.sourceforge.net
Ivan Masár closed Bug DS-1422 as Fixed
Today's DevMtg discussion:

[20:55] <mhwood> Ds-1422: looks right.
[20:55] <PeterDietz> I'm wondering if we want to surround filename with quotes, or use some type of StringUtils . escapeSomething(...)
[20:55] <helix84> Ds-1422 seems to have 2 non-commiter confirmations. Do we still want to confirm it ourselves?
[20:56] <mhwood> Looks like the MIME spec should tell us what to do here?
[20:56] <PeterDietz> It looks like a pretty standard fix though
[20:58] <helix84> Seems like we'll be better off than we were if we accept it (it's mentioned that Moodle solves it this way). If there are more concerns about a generic solution, we could then revisit it.
[20:58] <PeterDietz> I'm fine with this as-is
[20:58] <bollini> +1 too
[20:59] <helix84> ok, I'll go ahead and push the button
Change By: Ivan Masár (25/Sep/13 9:03 PM)
Resolution: Fixed
Fix Version/s: 4.0
Assignee: Ivan Masár
Status: Code Review Needed Closed
Reply all
Reply to author
Forward
0 new messages