I ran into an issue where using CFContent to serve a file with spaces in its name was truncating the file name. For example the file “Foo Bar.xls” was saving as “Foo”, lacking ” Bar.xls”.

<cfheader name="Content-Disposition" value="attachment; filename=#getFileFromPath(filePath)#">
<cfcontent file="#filePath#" type="application/octet-stream">

You can find many examples of this type of code out there for securing files using ColdFusion and its cfcontent, so apparently it’s a common oversight.

The fix to truncated file names is very simple but no so obvious.

What doesn’t work:

1. Don’t wrap the file name value in anything
2. Wrapping the file name value in single quotes
3. Wrapping the file name value in double quotes

What does work:

1. Wrap the file name value in escaped quotes (doubled up such as “”#filename#””)
2. Wrap the file name value in character valued double quotes (chr(34))

The new example would look something like this:

<cfheader name="Content-Disposition" value="attachment; filename=""#getFileFromPath(filePath)#""">
<cfcontent file="#filePath#" type="application/octet-stream">

Thanks to Ben Nadel for providing this solution.

See my previous blog on serving files with CFContent at https://christierney.com/2009/08/12/securely-serving-files-via-cfcontent/ .