In HTTP response there is the following header with attacker controlled content:
Content-Disposition:attachment; filename="attacker_controlled.html"
The only characters that can't appear in attacker controlled value are [CR] and [LF] (they can't appear in any combination). In all places where I read about HTTP header injection it was told about injecting those characters.
Is it possible to do HTTP header injection or some other harmful attack without CRLF?