This week's giveaway is in the EJB and other Java EE Technologies forum. We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line! See this thread for details.
The easies way is to not generate the filename from user data. Always provide your own default filename. This opens the download box on the user's browser with that suggested filename. At which point the user can change it to anything they like locally and you don't have to worry about a CRLF attack.
In other cases, CRLF attacks are more complicated, but it is easy to avoid in your example.
Don't. Seriously, if there is any way to avoid putting user input in the header, I'd do that. Option 2 is to provide a whitelist of characters that the user can enter so CR/LF characters don't show up. Option 3 is to use encoding/remove special characters.