Java OutputStream produces wrong directory path and characters

i'm using OutputStream to create a pdf file for download as follow:

    byte[] infoFile = info.getBytes();
    String infoName = info.getFileName();
    String contentType = info.getContentType();
        
    response.setContentType(contentType);
    response.setHeader("Content-disposition", "attachment;filename=\"" + infoName + "\"");
    response.setContentLength(infoFile.length);
        
    // till now no problem, the file name is ok

    OutputStream out = response.getOutputStream();
    out.write(infoFile); 
    //here, as soon as the previous line is executed a file is generated with wrong characters
    // ex. D:__Profiles__User__Downloads__infoFile.pdf

Here the file produced is something like "D:__Profiles__User__Downloads__infoFile.pdf"
while i expect the file "D:\Profiles\User\Downloads\infoFile.pdf"

What's wrong?

> What's wrong?

Your expectation that the filename in a Content-disposition header should have path information.

From RFC 6266 section 4.3

> Recipients MUST NOT be able to write into any location other than
> one to which they are specifically entitled. To illustrate the
> problem, consider the consequences of being able to overwrite
> well-known system locations (such as "/etc/passwd"). One strategy
> to achieve this is to never trust folder name information in the
> filename parameter, for instance by stripping all but the last
> path segment and only considering the actual filename (where 'path
> segments' are the components of the field value delimited by the
> path separator characters "" and "/").

And similarly in the Mozilla docs

> The filename is always optional and must not be used blindly by the application: path information should be stripped, and conversion to the server file system rules should be done.

Basically you should only be specifying infoFile.pdf. It's up to the user which directory that file is saved in.