Use ASCII chars in Content-Disposition filename parameter

Prior to this commit, gh-36328 avoided using RFC 2047 encoding for the
"filename" parameter and use ISO-8859-1 only. This change unfortunately
caused issues because some implementations might try and detect the
encoding automatically.

This commit restricts the filename parameter to ASCII encoding only by:
* transliterating characters to the closes ASCII character
("é"->"e", "ä"->"ae"...)
* falling back to "_" for other chacacters with non latin alphabet or
  emojis

Fixes gh-36805

Author: bclozel

spring-web/src/main/java/org/springframework/http/ContentDisposition.java

@@ -17,12 +17,9 @@
 package org.springframework.http;
 
 import java.io.ByteArrayOutputStream;
-import java.nio.CharBuffer;
-import java.nio.charset.CharacterCodingException;
 import java.nio.charset.Charset;
-import java.nio.charset.CharsetEncoder;
-import java.nio.charset.CodingErrorAction;
 import java.nio.charset.StandardCharsets;
+import java.text.Normalizer;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.HexFormat;
@@ -47,6 +44,7 @@
  * @author Sebastien Deleuze
  * @author Juergen Hoeller
  * @author Rossen Stoyanchev
+ * @author Brian Clozel
  * @author Sergey Tsypanov
  * @since 5.0
  * @see <a href="https://tools.ietf.org/html/rfc6266">RFC 6266</a>
@@ -174,19 +172,19 @@ public String toString() {
 			sb.append(this.type);
 		}
 		if (this.name != null) {
-			sb.append("; name=\"");
-			sb.append(this.name).append('\"');
+			sb.append("; name=\"").append(this.name).append('\"');
 		}
 		if (this.filename != null) {
 			if (this.charset == null || StandardCharsets.US_ASCII.equals(this.charset)) {
-				sb.append("; filename=\"");
-				sb.append(encodeQuotedPairs(this.filename)).append('\"');
+				sb.append("; filename=\"")
+						.append(encodeQuotedPairs(this.filename))
+						.append('\"');
 			}
 			else {
-				sb.append("; filename=\"");
-				sb.append(toIso88591(encodeQuotedPairs(this.filename))).append('\"');
-				sb.append("; filename*=");
-				sb.append(encodeRfc5987Filename(this.filename, this.charset));
+				sb.append("; filename=\"")
+						.append(transliterateToAscii(encodeQuotedPairs(this.filename)))
+						.append("\"; filename*=")
+						.append(encodeRfc5987Filename(this.filename, this.charset));
 			}
 		}
 		return sb.toString();
@@ -435,16 +433,74 @@ else if (b == '=' && index < value.length - 2) {
 		return StreamUtils.copyToString(baos, charset);
 	}
 
-	private static String toIso88591(String input) {
-		CharsetEncoder encoder = ISO_8859_1.newEncoder()
-				.onUnmappableCharacter(CodingErrorAction.REPLACE)
-				.replaceWith(new byte[] { (byte) '_' });
-		try {
-			return ISO_8859_1.decode(encoder.encode(CharBuffer.wrap(input))).toString();
-		}
-		catch (CharacterCodingException exc) {
-			throw new IllegalArgumentException("Failed to convert to ISO 8859-1", exc);
+	private static String transliterateToAscii(String input) {
+		StringBuilder sb = new StringBuilder(input.length() + 16);
+		for (int i = 0; i < input.length();) {
+			int codePoint = input.codePointAt(i);
+			i += Character.charCount(codePoint);
+			if (codePoint <= 127) {
+				sb.append((char) codePoint);
+			}
+			else {
+				switch (codePoint) {
+					case 'ä':
+						sb.append("ae");
+						break;
+					case 'ö':
+						sb.append("oe");
+						break;
+					case 'ü':
+						sb.append("ue");
+						break;
+					case 'Ä':
+						sb.append("Ae");
+						break;
+					case 'Ö':
+						sb.append("Oe");
+						break;
+					case 'Ü':
+						sb.append("Ue");
+						break;
+					case 'ß':
+						sb.append("ss");
+						break;
+					case 'æ':
+						sb.append("ae");
+						break;
+					case 'Æ':
+						sb.append("AE");
+						break;
+					case 'œ':
+						sb.append("oe");
+						break;
+					case 'Œ':
+						sb.append("OE");
+						break;
+					default:
+						String cpStr = new String(Character.toChars(codePoint));
+						// decompose accented characters into two separate parts
+						String normalized = Normalizer.normalize(cpStr, Normalizer.Form.NFD);
+						for (int j = 0; j < normalized.length(); ) {
+							int ncp = normalized.codePointAt(j);
+							j += Character.charCount(ncp);
+							if (ncp <= 127) {
+								sb.append((char) ncp);
+							}
+							else {
+								int type = Character.getType(ncp);
+								// do not write fallback character for accents
+								if (type != Character.NON_SPACING_MARK &&
+										type != Character.COMBINING_SPACING_MARK &&
+										type != Character.ENCLOSING_MARK) {
+									sb.append('_');
+								}
+							}
+						}
+						break;
+				}
+			}
 		}
+		return sb.toString();
 	}
 
 	private static String encodeQuotedPairs(String filename) {