Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13587

Content-Disposition header causes download in browser for Spring Boot Actuator endpoints

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 4.1.8, 4.2.2
    • Fix Version/s: 3.2.16, 4.1.9, 4.2.3
    • Component/s: Web
    • Labels:
    • Last commented by a User:
      false

      Description

      The fix to protect against RFD exploits (SPR-13548) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

      Spring Boot Actuator exposes many endpoints that naturally contain dots and do not represent an extension. When such a URL is typed in a browser it causes content to be downloaded as "f.txt" rather than rendered.

      Several example mappings in Boot:

      /metrics/{name:.*}
      /env/{name:.*}
      /diff/{fromVersion}/{toVersion}
      

      We need to consider ways to make the fix for RFD more flexible with this case in mind (and possible others that might yet be reported), without compromising the security of the application. For once it looks like Spring Boot metrics aren't exposed to RFD since the metric name in the URL has to match a known metric so for example appending a random extension should result in a 404.

      Note this issue was originally reported under Spring Boot ticket #4220.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rstoya05-aop Rossen Stoyanchev
                Reporter:
                rstoya05-aop Rossen Stoyanchev
                Last updater:
                St├ęphane Nicoll
              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  2 years, 27 weeks, 6 days ago