Fix corrupted saml2 metadata when special characters are present

Jannick Weisshaupt · Jannick Weisshaupt · commit 778e1879069a · 2023-09-20T12:24:34.000+02:00
Closes gh-13776
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java
@@ -104,7 +104,7 @@ private void writeMetadataToResponse(HttpServletResponse response, String regist
 		String encodedFileName = URLEncoder.encode(fileName, StandardCharsets.UTF_8.name());
 		String format = "attachment; filename=\"%s\"; filename*=UTF-8''%s";
 		response.setHeader(HttpHeaders.CONTENT_DISPOSITION, String.format(format, fileName, encodedFileName));
-		response.setContentLength(metadata.length());
+		response.setContentLength(metadata.getBytes(StandardCharsets.UTF_8).length);
 		response.setCharacterEncoding(StandardCharsets.UTF_8.name());
 		response.getWriter().write(metadata);
 	}
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilterTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilterTests.java
@@ -166,6 +166,8 @@ public void doFilterWhenCharacterEncodingThenEncodeSpecialCharactersCorrectly()
 		this.filter.doFilter(this.request, this.response, this.chain);
 		assertThat(this.response.getCharacterEncoding()).isEqualTo(StandardCharsets.UTF_8.name());
 		assertThat(this.response.getContentAsString(StandardCharsets.UTF_8)).isEqualTo(generatedMetadata);
+		assertThat(this.response.getContentLength()).isEqualTo(
+				generatedMetadata.getBytes(StandardCharsets.UTF_8).length);
 	}
 
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ private void writeMetadataToResponse(HttpServletResponse response, String regist`
`104`	`104`	`String encodedFileName = URLEncoder.encode(fileName, StandardCharsets.UTF_8.name());`
`105`	`105`	`String format = "attachment; filename=\"%s\"; filename*=UTF-8''%s";`
`106`	`106`	`response.setHeader(HttpHeaders.CONTENT_DISPOSITION, String.format(format, fileName, encodedFileName));`
`107`		`- response.setContentLength(metadata.length());`
	`107`	`+ response.setContentLength(metadata.getBytes(StandardCharsets.UTF_8).length);`
`108`	`108`	`response.setCharacterEncoding(StandardCharsets.UTF_8.name());`
`109`	`109`	`response.getWriter().write(metadata);`
`110`	`110`	`}`
Original file line number	Diff line number	Diff line change
`@@ -166,6 +166,8 @@ public void doFilterWhenCharacterEncodingThenEncodeSpecialCharactersCorrectly()`
`166`	`166`	`this.filter.doFilter(this.request, this.response, this.chain);`
`167`	`167`	`assertThat(this.response.getCharacterEncoding()).isEqualTo(StandardCharsets.UTF_8.name());`
`168`	`168`	`assertThat(this.response.getContentAsString(StandardCharsets.UTF_8)).isEqualTo(generatedMetadata);`
	`169`	`+ assertThat(this.response.getContentLength()).isEqualTo(`
	`170`	`+ generatedMetadata.getBytes(StandardCharsets.UTF_8).length);`
`169`	`171`	`}`
`170`	`172`
`171`	`173`	`@Test`