Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13587

Content-Disposition header causes download in browser for Spring Boot Actuator endpoints


    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 4.1.8, 4.2.2
    • Fix Version/s: 3.2.16, 4.1.9, 4.2.3
    • Component/s: Web
    • Labels:
    • Last commented by a User:


      The fix to protect against RFD exploits (SPR-13548) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

      Spring Boot Actuator exposes many endpoints that naturally contain dots and do not represent an extension. When such a URL is typed in a browser it causes content to be downloaded as "f.txt" rather than rendered.

      Several example mappings in Boot:


      We need to consider ways to make the fix for RFD more flexible with this case in mind (and possible others that might yet be reported), without compromising the security of the application. For once it looks like Spring Boot metrics aren't exposed to RFD since the metric name in the URL has to match a known metric so for example appending a random extension should result in a 404.

      Note this issue was originally reported under Spring Boot ticket #4220.


          Issue Links



              • Assignee:
                rstoya05-aop Rossen Stoyanchev
                rstoya05-aop Rossen Stoyanchev
                Last updater:
                St├ęphane Nicoll
              • Votes:
                1 Vote for this issue
                7 Start watching this issue


                • Created:
                  Days since last comment:
                  3 years, 1 week, 6 days ago