fix(fetch): prefer filename* over filename in multipart form-data (#5068)

maruthang · web-flow · commit f6c5ddab02e8 · 2026-04-19T22:38:53.000+02:00
diff --git a/lib/web/fetch/formdata-parser.js b/lib/web/fetch/formdata-parser.js
@@ -204,7 +204,7 @@ function multipartFormDataParser (input, mimeType) {
  * Parses content-disposition attributes (e.g., name="value" or filename*=utf-8''encoded)
  * @param {Buffer} input
  * @param {{ position: number }} position
- * @returns {{ name: string, value: string }}
+ * @returns {{ name: string, value: string, extended: boolean } | null}
  */
 function parseContentDispositionAttribute (input, position) {
   // Skip leading semicolon and whitespace
@@ -304,7 +304,7 @@ function parseContentDispositionAttribute (input, position) {
     value = decoder.decode(tokenValue)
   }
 
-  return { name: attrNameStr, value }
+  return { name: attrNameStr, value, extended: isExtended }
 }
 
 /**
@@ -368,6 +368,9 @@ function parseMultipartFormDataHeaders (input, position) {
     switch (bufferToLowerCasedHeaderName(headerName)) {
       case 'content-disposition': {
         name = filename = null
+        // Track whether filename was set from the extended (RFC 5987) form so
+        // a subsequent legacy `filename` attribute does not override it.
+        let filenameIsExtended = false
 
         // Collect the disposition type (should be "form-data")
         const dispositionType = collectASequenceOfBytes(
@@ -395,7 +398,15 @@ function parseMultipartFormDataHeaders (input, position) {
           if (attribute.name === 'name') {
             name = attribute.value
           } else if (attribute.name === 'filename') {
-            filename = attribute.value
+            // Per RFC 5987 §4.1, when both legacy and extended forms of the
+            // same parameter are present, the extended (filename*) form takes
+            // precedence regardless of the order they appear in.
+            if (attribute.extended) {
+              filename = attribute.value
+              filenameIsExtended = true
+            } else if (!filenameIsExtended) {
+              filename = attribute.value
+            }
           }
         }
 
diff --git a/test/busboy/issue-4661.js b/test/busboy/issue-4661.js
@@ -0,0 +1,102 @@
+'use strict'
+
+const { test } = require('node:test')
+const { Request } = require('../..')
+
+const boundary = '1df6c75e-c5a7-486c-af47-67b632b19522'
+const contentType = `multipart/form-data; boundary=${boundary}`
+
+// https://github.com/nodejs/undici/issues/4661
+test('content-disposition allows both filename and filename* parameters', async (t) => {
+  const request = new Request('http://localhost', {
+    method: 'POST',
+    headers: { 'Content-Type': contentType },
+    body:
+      `--${boundary}\r\n` +
+      'Content-Disposition: form-data; name="Abc"; filename="E 1962 029 1342-0003.JPG"; filename*=utf-8\'\'E%201962%20029%201342-0003.JPG\r\n' +
+      '\r\n' +
+      'Hello\r\n' +
+      `--${boundary}--`
+  })
+
+  const fd = await request.formData()
+  const file = fd.get('Abc')
+  t.assert.ok(file instanceof File)
+  t.assert.strictEqual(file.name, 'E 1962 029 1342-0003.JPG')
+  t.assert.strictEqual(await file.text(), 'Hello')
+})
+
+test('filename* (RFC 5987) without legacy filename is parsed correctly', async (t) => {
+  const request = new Request('http://localhost', {
+    method: 'POST',
+    headers: { 'Content-Type': contentType },
+    body:
+      `--${boundary}\r\n` +
+      'Content-Disposition: form-data; name="Abc"; filename*=utf-8\'\'only-extended.txt\r\n' +
+      '\r\n' +
+      'Hello\r\n' +
+      `--${boundary}--`
+  })
+
+  const fd = await request.formData()
+  const file = fd.get('Abc')
+  t.assert.ok(file instanceof File)
+  t.assert.strictEqual(file.name, 'only-extended.txt')
+})
+
+test('filename* takes precedence over filename when both are present', async (t) => {
+  // Per RFC 5987 §4.1, when both extended and non-extended forms of the
+  // same parameter appear, the extended form is preferred regardless of order.
+  const request = new Request('http://localhost', {
+    method: 'POST',
+    headers: { 'Content-Type': contentType },
+    body:
+      `--${boundary}\r\n` +
+      'Content-Disposition: form-data; name="Abc"; filename*=utf-8\'\'extended.txt; filename="legacy.txt"\r\n' +
+      '\r\n' +
+      'Hello\r\n' +
+      `--${boundary}--`
+  })
+
+  const fd = await request.formData()
+  const file = fd.get('Abc')
+  t.assert.ok(file instanceof File)
+  t.assert.strictEqual(file.name, 'extended.txt')
+})
+
+test('filename* takes precedence when filename appears first', async (t) => {
+  const request = new Request('http://localhost', {
+    method: 'POST',
+    headers: { 'Content-Type': contentType },
+    body:
+      `--${boundary}\r\n` +
+      'Content-Disposition: form-data; name="Abc"; filename="legacy.txt"; filename*=utf-8\'\'extended.txt\r\n' +
+      '\r\n' +
+      'Hello\r\n' +
+      `--${boundary}--`
+  })
+
+  const fd = await request.formData()
+  const file = fd.get('Abc')
+  t.assert.ok(file instanceof File)
+  t.assert.strictEqual(file.name, 'extended.txt')
+})
+
+test('filename* with percent-encoded UTF-8 bytes is decoded', async (t) => {
+  // %E2%82%AC = U+20AC (€), %20 = space
+  const request = new Request('http://localhost', {
+    method: 'POST',
+    headers: { 'Content-Type': contentType },
+    body:
+      `--${boundary}\r\n` +
+      'Content-Disposition: form-data; name="Abc"; filename*=UTF-8\'\'%E2%82%AC%20rates.txt\r\n' +
+      '\r\n' +
+      'Hello\r\n' +
+      `--${boundary}--`
+  })
+
+  const fd = await request.formData()
+  const file = fd.get('Abc')
+  t.assert.ok(file instanceof File)
+  t.assert.strictEqual(file.name, '\u20AC rates.txt')
+})
