From c0fa3f906db6be9da707563677bf504b3dd86fae Mon Sep 17 00:00:00 2001 From: Han YanJing Date: Sat, 20 Feb 2021 16:53:16 +0800 Subject: [PATCH] Encode the Content-Disposition header following RFC 8187 Closes gh-9281 --- .../saml2/provider/service/web/Saml2MetadataFilter.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java index 23714af1e7..25f4fe5f73 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java @@ -17,6 +17,8 @@ package org.springframework.security.saml2.provider.service.web; import java.io.IOException; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; import javax.servlet.FilterChain; import javax.servlet.ServletException; @@ -83,8 +85,9 @@ public final class Saml2MetadataFilter extends OncePerRequestFilter { throws IOException { response.setContentType(MediaType.APPLICATION_XML_VALUE); String fileName = this.metadataFilename.replace("{registrationId}", registrationId); - String format = "attachment; filename=\"%s\""; - response.setHeader(HttpHeaders.CONTENT_DISPOSITION, String.format(format, fileName)); + String encodedFileName = URLEncoder.encode(fileName, StandardCharsets.UTF_8.name()); + String format = "attachment; filename=\"%s\"; filename*=UTF-8''%s"; + response.setHeader(HttpHeaders.CONTENT_DISPOSITION, String.format(format, fileName, encodedFileName)); response.setContentLength(metadata.length()); response.getWriter().write(metadata); }