diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java index ccb2f74fdbb..63d9c49d1c7 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -105,6 +105,7 @@ private void writeMetadataToResponse(HttpServletResponse response, String regist String format = "attachment; filename=\"%s\"; filename*=UTF-8''%s"; response.setHeader(HttpHeaders.CONTENT_DISPOSITION, String.format(format, fileName, encodedFileName)); response.setContentLength(metadata.length()); + response.setCharacterEncoding(StandardCharsets.UTF_8.name()); response.getWriter().write(metadata); } diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilterTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilterTests.java index 0f40eebdf33..40ab5a83438 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilterTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -153,6 +153,21 @@ public void doFilterWhenPathStartsWithRegistrationIdThenServesMetadata() throws verify(this.repository).findByRegistrationId("registration-id"); } + // gh-12026 + @Test + public void doFilterWhenCharacterEncodingThenEncodeSpecialCharactersCorrectly() throws Exception { + RelyingPartyRegistration validRegistration = TestRelyingPartyRegistrations.full().build(); + String testMetadataFilename = "test-{registrationId}-metadata.xml"; + String generatedMetadata = "testäöü"; + this.request.setPathInfo("/saml2/service-provider-metadata/registration-id"); + given(this.resolver.resolve(validRegistration)).willReturn(generatedMetadata); + this.filter = new Saml2MetadataFilter((req, id) -> validRegistration, this.resolver); + this.filter.setMetadataFilename(testMetadataFilename); + this.filter.doFilter(this.request, this.response, this.chain); + assertThat(this.response.getCharacterEncoding()).isEqualTo(StandardCharsets.UTF_8.name()); + assertThat(new String(this.response.getContentAsByteArray())).isEqualTo(generatedMetadata); + } + @Test public void setRequestMatcherWhenNullThenIllegalArgument() { assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setRequestMatcher(null));