From 1ef66d79f3ad1dbbd052473d76c5e096f0ab73e6 Mon Sep 17 00:00:00 2001
From: "dobrosi.andras" <dobrosi.andras@microsec.hu>
Date: Fri, 7 Feb 2025 10:07:36 +0100
Subject: [PATCH 1/2] File name is null bug. HTTP clients may send a file with
 a "FileName" attribute in the Content-Disposition header.

RFC 6266: 'The parameters "filename" and "filename*", to be matched case-insensitively, provide information on how to construct a filename for storing the message payload.'
---
 .../java/org/springframework/http/ContentDisposition.java | 2 +-
 .../org/springframework/http/ContentDispositionTests.java | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/spring-web/src/main/java/org/springframework/http/ContentDisposition.java b/spring-web/src/main/java/org/springframework/http/ContentDisposition.java
index c70bd822b5d0..fab5682737d6 100644
--- a/spring-web/src/main/java/org/springframework/http/ContentDisposition.java
+++ b/spring-web/src/main/java/org/springframework/http/ContentDisposition.java
@@ -252,7 +252,7 @@ public static ContentDisposition parse(String contentDisposition) {
 			String part = parts.get(i);
 			int eqIndex = part.indexOf('=');
 			if (eqIndex != -1) {
-				String attribute = part.substring(0, eqIndex);
+				String attribute = part.substring(0, eqIndex).toLowerCase();
 				String value = (part.startsWith("\"", eqIndex + 1) && part.endsWith("\"") ?
 						part.substring(eqIndex + 2, part.length() - 1) :
 						part.substring(eqIndex + 1));
diff --git a/spring-web/src/test/java/org/springframework/http/ContentDispositionTests.java b/spring-web/src/test/java/org/springframework/http/ContentDispositionTests.java
index 7a4c320288a2..5282575598da 100644
--- a/spring-web/src/test/java/org/springframework/http/ContentDispositionTests.java
+++ b/spring-web/src/test/java/org/springframework/http/ContentDispositionTests.java
@@ -302,4 +302,12 @@ void parseFormattedWithQuestionMark() {
 				.isEqualTo(filename);
 	}
 
+	@Test
+	void parseAttributesCaseInsensitive() {
+		ContentDisposition cd = ContentDisposition.parse("form-data; Name=\"foo\"; FileName=\"bar.txt\"");
+		assertThat(cd.getName()).isEqualTo("foo");
+		assertThat(cd.getFilename()).isEqualTo("bar.txt");
+		assertThat(cd.toString()).isEqualTo("form-data; name=\"foo\"; filename=\"bar.txt\"");
+	}
+
 }

From 660694064eeb2d4a18be880f5ce7407c1205cbea Mon Sep 17 00:00:00 2001
From: "dobrosi.andras" <dobrosi.andras@microsec.hu>
Date: Fri, 7 Feb 2025 10:07:36 +0100
Subject: [PATCH 2/2] File name is null bug. HTTP clients may send a file with
 a "FileName" attribute in the Content-Disposition header.

RFC 6266: 'The parameters "filename" and "filename*", to be matched case-insensitively, provide information on how to construct a filename for storing the message payload.'

Signed-off-by: Andras, Dobrosi <dobrosi@gmail.com>
---
 .../java/org/springframework/http/ContentDisposition.java | 2 +-
 .../org/springframework/http/ContentDispositionTests.java | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/spring-web/src/main/java/org/springframework/http/ContentDisposition.java b/spring-web/src/main/java/org/springframework/http/ContentDisposition.java
index c70bd822b5d0..fab5682737d6 100644
--- a/spring-web/src/main/java/org/springframework/http/ContentDisposition.java
+++ b/spring-web/src/main/java/org/springframework/http/ContentDisposition.java
@@ -252,7 +252,7 @@ public static ContentDisposition parse(String contentDisposition) {
 			String part = parts.get(i);
 			int eqIndex = part.indexOf('=');
 			if (eqIndex != -1) {
-				String attribute = part.substring(0, eqIndex);
+				String attribute = part.substring(0, eqIndex).toLowerCase();
 				String value = (part.startsWith("\"", eqIndex + 1) && part.endsWith("\"") ?
 						part.substring(eqIndex + 2, part.length() - 1) :
 						part.substring(eqIndex + 1));
diff --git a/spring-web/src/test/java/org/springframework/http/ContentDispositionTests.java b/spring-web/src/test/java/org/springframework/http/ContentDispositionTests.java
index 7a4c320288a2..5282575598da 100644
--- a/spring-web/src/test/java/org/springframework/http/ContentDispositionTests.java
+++ b/spring-web/src/test/java/org/springframework/http/ContentDispositionTests.java
@@ -302,4 +302,12 @@ void parseFormattedWithQuestionMark() {
 				.isEqualTo(filename);
 	}
 
+	@Test
+	void parseAttributesCaseInsensitive() {
+		ContentDisposition cd = ContentDisposition.parse("form-data; Name=\"foo\"; FileName=\"bar.txt\"");
+		assertThat(cd.getName()).isEqualTo("foo");
+		assertThat(cd.getFilename()).isEqualTo("bar.txt");
+		assertThat(cd.toString()).isEqualTo("form-data; name=\"foo\"; filename=\"bar.txt\"");
+	}
+
 }