Encode the Content-Disposition header following RFC 8187

Closes gh-9281
2021-02-20 16:53:16 +08:00 · 2021-02-20 16:53:16 +08:00 · c0fa3f906d
parent fb391c5dcd
commit c0fa3f906d
1 changed files with 5 additions and 2 deletions
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java
@ -17,6 +17,8 @@
 package org.springframework.security.saml2.provider.service.web;

 import java.io.IOException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;

 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@ -83,8 +85,9 @@ public final class Saml2MetadataFilter extends OncePerRequestFilter {
 			throws IOException {
 		response.setContentType(MediaType.APPLICATION_XML_VALUE);
 		String fileName = this.metadataFilename.replace("{registrationId}", registrationId);
-		String format = "attachment; filename=\"%s\"";
-		response.setHeader(HttpHeaders.CONTENT_DISPOSITION, String.format(format, fileName));
+		String encodedFileName = URLEncoder.encode(fileName, StandardCharsets.UTF_8.name());
+		String format = "attachment; filename=\"%s\"; filename*=UTF-8''%s";
+		response.setHeader(HttpHeaders.CONTENT_DISPOSITION, String.format(format, fileName, encodedFileName));
 		response.setContentLength(metadata.length());
 		response.getWriter().write(metadata);
 	}