Skip to content

util

Functions:

extract_filename_from_content_disposition 

extract_filename_from_content_disposition(header: str) -> str | None

Extract filename from Content-Disposition header.

Supports both filename= and RFC 5987 filename*=; prefers filename*= when present. Returned filenames are sanitized to prevent path traversal.

Source code in rdflib/contrib/graphdb/util.py 
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
def extract_filename_from_content_disposition(header: str) -> str | None:
    """Extract filename from Content-Disposition header.

    Supports both ``filename=`` and RFC 5987 ``filename*=``; prefers ``filename*=``
    when present. Returned filenames are sanitized to prevent path traversal.
    """
    if not header:
        return None

    filename_star: str | None = None
    filename_plain: str | None = None

    for part in header.split(";"):
        part = part.strip()
        lower = part.lower()
        if lower.startswith("filename*="):
            value = part[len("filename*=") :].strip()
            value = value.strip().strip("\"'")
            try:
                charset, rest = value.split("'", 1)
                _language, encoded = rest.split("'", 1)
            except ValueError:
                charset = "utf-8"
                encoded = value
            try:
                raw = urllib.parse.unquote_to_bytes(encoded)
                decoded = raw.decode(charset, errors="replace")
            except LookupError:
                raw = urllib.parse.unquote_to_bytes(encoded)
                decoded = raw.decode("utf-8", errors="replace")
            filename_star = sanitize_filename(decoded)
        elif lower.startswith("filename="):
            value = part[len("filename=") :].strip()
            filename_plain = sanitize_filename(value)

    return filename_star or filename_plain

infer_filename_from_fileobj 

infer_filename_from_fileobj(file_obj: Any, fallback: str) -> str

Infer a safe filename from a file-like object’s .name attribute.

Source code in rdflib/contrib/graphdb/util.py 
55
56
57
58
59
60
61
62
def infer_filename_from_fileobj(file_obj: t.Any, fallback: str) -> str:
    """Infer a safe filename from a file-like object's ``.name`` attribute."""
    name = getattr(file_obj, "name", None)
    if isinstance(name, str) and name:
        inferred = sanitize_filename(name)
        if inferred:
            return inferred
    return fallback

sanitize_filename 

sanitize_filename(filename: str) -> str | None
Source code in rdflib/contrib/graphdb/util.py 
 7
 8
 9
10
11
12
13
14
def sanitize_filename(filename: str) -> str | None:
    filename = filename.strip().strip("\"'")
    if not filename:
        return None
    filename = filename.replace("\\", "/").split("/")[-1]
    if not filename or filename in {".", ".."}:
        return None
    return filename