Escape quotes in filename in ContentDisposition.Builder when charset not specified

[rstoyanchev]

The filename, when specified without a charset, is quoted but not checked for the presence of any unquoted " characters. We should check for those and turn into a quoted-pair.

[eranation]

Spring boot 2.0.x branch has no mitigation. (2.0.9.RELEASE is the latest and uses Spring 5.0.13, needs to be upgraded to 5.0.16, no?)

[snicoll]

@eranation Spring Boot 2.0.x is EOL. If you are still using it, please upgrade as soon as possible to a supported version. In the meantime, you can set spring.version to 5.0.16.RELEASE to use a more recent maintenance release of that line.

[rstoyanchev]

@rshanlever, please use the preferred channel for follow-up questions.

[RockyMM]

To all affected in 4.3.x, this was solved by #24580 in 4.3.27. Security researchers (not Pivotal), please update the CVE report. 🙏

[rstoyanchev]

@RockyMM it's worth pointing out that versions prior to 5.0 were never affected by CVE-2020-5398 and that is why they are not listed in the CVE report.

The affected ContentDisposition type which can be used for the "inline" and "attachment" types that a server can use to suggest a file name to a client did not exist prior to version 5.0. There were however methods for "Content-Disposition" in HttpHeaders but those are for "form-data" which is used to post data from a client to a server and hence a very different scenario. The change in #24580 was merely a minor improvement aimed at making the code consistent.