From 9aaa6f7854328e4bb009aedb4298fc7e1b98cd05 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Sun, 3 May 2026 22:44:31 +0200
Subject: [PATCH] http1: do not re-parse Content-Disposition header

Ticket: 8529

When Suricata handles a HTTP1 response body, it does so with a
file, and tries to get the filename from the Content-Disposition
header if any, then from the uri.

If it failed to find a file name, it tried again every time
there was new data from the response body, even if there was
no new data to find a file name in either the header nor the uri.

This causes a slowdown in the case the Content-Disposition header
is big.

Fix is to set the flag on the first call of the callback, to be
sure that we will parse the Content-Disposition header for a
filename header only once per http1 response.
---
 src/app-layer-htp.c | 6 +++++-
 src/app-layer-htp.h | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 22d3023e58..0e2eff55d5 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -1270,7 +1270,11 @@ static int HtpResponseBodyHandle(HtpState *hstate, HtpTxUserData *htud, const ht
      * we check for htp_tx_response_line(tx) in case of junk
      * interpreted as body before response line
      */
-    if (!(htud->tcflags & HTP_FILENAME_SET)) {
+    if (!(htud->tcflags & HTP_RESP_BODY_SEEN)) {
+        // make sure we run this only once per tx
+        // so that we do not retry/refail to parse Content-Disposition header
+        // which may be expensive if we do it for every packet...
+        htud->tcflags |= HTP_RESP_BODY_SEEN;
         SCLogDebug("setting up file name");
 
         const uint8_t *filename = NULL;
diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index 9d3502d481..bad642d691 100644
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -146,6 +146,7 @@ typedef struct HtpBody_ {
 #define HTP_FILENAME_SET        BIT_U8(3)    /**< filename is registered in the flow */
 #define HTP_DONTSTORE           BIT_U8(4)    /**< not storing this file */
 #define HTP_STREAM_DEPTH_SET    BIT_U8(5)    /**< stream-depth is set */
+#define HTP_RESP_BODY_SEEN      BIT_U8(6)    /**< response body was seen at least once */
 
 /** Now the Body Chunks will be stored per transaction, at
   * the tx user data */