fix(security): sanitize filename in Content-Disposition response header #85

New Issue

Open

opened 2026-03-27 09:24:19 +01:00 by marcel · 0 comments

marcel commented 2026-03-27 09:24:19 +01:00

Owner

Copy Link

Security Issue — MEDIUM

Found in: backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java (line ~73)

The vulnerable pattern

.header(HttpHeaders.CONTENT_DISPOSITION,
    "inline; filename=\"" + doc.getOriginalFilename() + "\"")

The original filename comes from the client at upload time and is stored in the database verbatim. When it is later embedded into the Content-Disposition header without sanitization, a filename containing a double-quote character (") breaks the header syntax. A filename with a newline (\n) can inject an entirely new HTTP response header.

Example:

• Filename stored: photo".jpg → header becomes inline; filename="photo".jpg" — malformed
• Filename stored: photo\r\nX-Injected: evil → splits the HTTP header → header injection

The fix

Strip or encode characters that are unsafe in HTTP header values before embedding them. The simplest safe approach: remove everything except word characters, spaces, dots, and hyphens, then trim to a reasonable length.

// DocumentController.java
private static String safeFilename(String raw) {
    if (raw == null || raw.isBlank()) return "document";
    return raw.replaceAll("[\"\\\\\\r\\n]", "_")  // strip quotes, backslashes, newlines
              .strip()
              .substring(0, Math.min(raw.length(), 200));
}

// In the download endpoint:
.header(HttpHeaders.CONTENT_DISPOSITION,
    "inline; filename=\"" + safeFilename(doc.getOriginalFilename()) + "\"")

For full RFC 5987 compliance with non-ASCII filenames (German umlauts are common in this archive):

String encoded = URLEncoder.encode(doc.getOriginalFilename(), StandardCharsets.UTF_8)
        .replace("+", "%20");
.header(HttpHeaders.CONTENT_DISPOSITION,
    "inline; filename*=UTF-8''" + encoded)

Why

HTTP headers are line-based text. Injecting a newline into a header value lets an attacker append arbitrary headers to the response — including Set-Cookie, Content-Type, or cache-poisoning headers. This is called HTTP header injection (a subset of CRLF injection).

Priority

MEDIUM — requires a malicious filename to be stored first (needs WRITE_ALL permission), but the impact is header injection on any user who downloads the file.

## Security Issue — MEDIUM **Found in:** `backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java` (line ~73) ### The vulnerable pattern ```java .header(HttpHeaders.CONTENT_DISPOSITION, "inline; filename=\"" + doc.getOriginalFilename() + "\"") ``` The original filename comes from the client at upload time and is stored in the database verbatim. When it is later embedded into the `Content-Disposition` header without sanitization, a filename containing a double-quote character (`"`) breaks the header syntax. A filename with a newline (`\n`) can inject an entirely new HTTP response header. **Example:** - Filename stored: `photo".jpg` → header becomes `inline; filename="photo".jpg"` — malformed - Filename stored: `photo\r\nX-Injected: evil` → splits the HTTP header → header injection ### The fix Strip or encode characters that are unsafe in HTTP header values before embedding them. The simplest safe approach: remove everything except word characters, spaces, dots, and hyphens, then trim to a reasonable length. ```java // DocumentController.java private static String safeFilename(String raw) { if (raw == null || raw.isBlank()) return "document"; return raw.replaceAll("[\"\\\\\\r\\n]", "_") // strip quotes, backslashes, newlines .strip() .substring(0, Math.min(raw.length(), 200)); } // In the download endpoint: .header(HttpHeaders.CONTENT_DISPOSITION, "inline; filename=\"" + safeFilename(doc.getOriginalFilename()) + "\"") ``` For full RFC 5987 compliance with non-ASCII filenames (German umlauts are common in this archive): ```java String encoded = URLEncoder.encode(doc.getOriginalFilename(), StandardCharsets.UTF_8) .replace("+", "%20"); .header(HttpHeaders.CONTENT_DISPOSITION, "inline; filename*=UTF-8''" + encoded) ``` ### Why HTTP headers are line-based text. Injecting a newline into a header value lets an attacker append arbitrary headers to the response — including `Set-Cookie`, `Content-Type`, or cache-poisoning headers. This is called HTTP header injection (a subset of CRLF injection). ### Priority **MEDIUM — requires a malicious filename to be stored first (needs WRITE_ALL permission), but the impact is header injection on any user who downloads the file.**

marcel added the security label 2026-03-27 12:29:50 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/issue-533-mass-import-ux

worktree-feat+issue-557-upload-artifact-v3-pin

worktree-chore+issue-556-drop-client-branches-coverage-gate

fix/issue-514-prerender-crawl-bakes-redirects

fix/issue-472-prerender-entries

feat/issue-395-readme

feat/issue-345-bulk-mark-reviewed

feat/issue-344-bell-tooltip

feat/issue-341-annotieren-contrast

feat/issue-225-bulk-metadata-edit

feat/issue-317-bulk-upload

feat/issue-271-dashboard-redesign

docs/issue-240-mission-control-spec

refactor/issues-193-200

feat/issue-162-korrespondenz-redesign

feature/68-new-document-file-first

feat/81-discussion-discoverability

feat/62-document-bottom-panel

feature/56-backfill-file-hashes

feat/38-document-edit-history

fix/svelte5-test-delegation-and-login-auth

No results found.

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#85