Ignore empty parts when parsing Content-Disposition header (#11243)

PLPeeters · web-flow · commit f01cb5e16147 · 2025-06-29T00:00:42.000+01:00
diff --git a/CHANGES/11243.bugfix b/CHANGES/11243.bugfix
@@ -0,0 +1,2 @@
+Updated `Content-Disposition` header parsing to handle trailing semicolons and empty parts
+-- by :user:`PLPeeters`.
diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
@@ -114,6 +114,10 @@ def unescape(text: str, *, chars: str = "".join(map(re.escape, CHAR))) -> str:
     while parts:
         item = parts.pop(0)
 
+        if not item:  # To handle trailing semicolons
+            warnings.warn(BadContentDispositionHeader(header))
+            continue
+
         if "=" not in item:
             warnings.warn(BadContentDispositionHeader(header))
             return None, {}
diff --git a/tests/test_client_response.py b/tests/test_client_response.py
@@ -17,6 +17,7 @@
 from aiohttp.client_reqrep import ClientResponse, RequestInfo
 from aiohttp.connector import Connection
 from aiohttp.helpers import TimerNoop
+from aiohttp.multipart import BadContentDispositionHeader
 
 
 class WriterMock(mock.AsyncMock):
@@ -996,6 +997,34 @@ def test_content_disposition_no_parameters() -> None:
     assert {} == response.content_disposition.parameters
 
 
+@pytest.mark.parametrize(
+    "content_disposition",
+    (
+        'attachment; filename="archive.tar.gz";',
+        'attachment;; filename="archive.tar.gz"',
+    ),
+)
+def test_content_disposition_empty_parts(content_disposition: str) -> None:
+    response = ClientResponse(
+        "get",
+        URL("http://def-cl-resp.org"),
+        request_info=mock.Mock(),
+        writer=WriterMock(),
+        continue100=None,
+        timer=TimerNoop(),
+        traces=[],
+        loop=mock.Mock(),
+        session=mock.Mock(),
+    )
+    h = {"Content-Disposition": content_disposition}
+    response._headers = CIMultiDictProxy(CIMultiDict(h))
+
+    with pytest.warns(BadContentDispositionHeader):
+        assert response.content_disposition is not None
+        assert "attachment" == response.content_disposition.type
+        assert "archive.tar.gz" == response.content_disposition.filename
+
+
 def test_content_disposition_no_header() -> None:
     response = ClientResponse(
         "get",

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Updated `Content-Disposition` header parsing to handle trailing semicolons and empty parts
	`2`	+-- by :user:`PLPeeters`.