[SPR-13548] Protect against RFD exploits - Spring JIRA

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Critical
Resolution: Complete
Affects Version/s: 3.2.14, 4.1.7, 4.2.1
Fix Version/s: 3.2.15, 4.1.8, 4.2.2
Component/s: Web
Security Level: Public
Labels:
- RFD

Last commented by a User:
true

Description

For details and concrete examples of RFD attacks see the RFD paper from Trustwave.

For information specific to Spring MVC see the CVE-2015-5211 security report.

Attachments

Issue Links

is related to

SPR-13647 Content Disposition header being added on some urls...did not behave this way in 4.2.1

Resolved

SPR-13629 Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions

Closed

SPR-13587 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints

Closed

SPR-13588 Skip Content-Disposition header when status != 2xx

Closed

SPR-13643 Content-Disposition with fixed file name "f.txt" causes confusion

Closed

Activity

People

Assignee:: Rossen Stoyanchev

Reporter:: Rossen Stoyanchev

Archiver:: Trevor Marshall

Last updater:: Spring Issues

Dates

Created:: 07/Oct/15 9:42 PM

Updated:: 15/Jan/19 5:29 PM

Resolved:: 06/Nov/15 8:27 PM

Archived:: 09/Feb/23 11:19 PM

Days since last comment:: 4 years, 20 weeks, 3 days ago