Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13588

Skip Content-Disposition header when status != 2xx

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.15, 4.1.8, 4.2.2
    • Fix Version/s: 3.2.16, 4.1.9, 4.2.3
    • Component/s: Web
    • Labels:
    • Last commented by a User:
      false

      Description

      The fix to protect against RFD exploits (SPR-13548) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

      The URL checked for extensions is always the original URL even in the case of a forwarded request. In the case of an ERROR dispatch, Servlet containers are expected to set up the same request attributes as for forwarded requests.

      Since Spring Boot relies on ERROR dispatches, a request with an unknown extension that results in an error can be rendered with a Content-Disposition header. This doesn't appear to cause issues in the browser but we should explore whether we can drop the header in such cases.

      Note this issue was originally reported under Spring Boot ticket #4220.

        Issue Links

          Activity

          Hide
          rwinch Rob Winch added a comment -

          I'm not sure this is the best idea since the error page might contain reflected input.

          Show
          rwinch Rob Winch added a comment - I'm not sure this is the best idea since the error page might contain reflected input.
          Hide
          rstoya05-aop Rossen Stoyanchev added a comment -

          I guess the question is whether the download behavior is different for status 4xx and 5xx. That includes the content types for which specific browsers may force a download (section 2.3.1 in the RFD paper) and/or the hyperlink "download" attribute. If an error status precludes a download, then presumably there is no need for a content-disposition header.

          Show
          rstoya05-aop Rossen Stoyanchev added a comment - I guess the question is whether the download behavior is different for status 4xx and 5xx. That includes the content types for which specific browsers may force a download (section 2.3.1 in the RFD paper) and/or the hyperlink "download" attribute. If an error status precludes a download, then presumably there is no need for a content-disposition header.
          Hide
          rstoya05-aop Rossen Stoyanchev added a comment - - edited

          Browsers I tested with (Firefox, Chrome, IE 7/8/9) don't seem to switch to download when status is 4xx or 5xx. In Firefox/Chrome the presence of a Content-Disposition header actually seems to be treated as an error. In Firefox it shows as 404 (this ticket looks relevant). Furthermore it doesn't make sense to have Content-Disposition with 3xx either so the final fix checks if response is in 2xx range.

          Show
          rstoya05-aop Rossen Stoyanchev added a comment - - edited Browsers I tested with (Firefox, Chrome, IE 7/8/9) don't seem to switch to download when status is 4xx or 5xx. In Firefox/Chrome the presence of a Content-Disposition header actually seems to be treated as an error. In Firefox it shows as 404 ( this ticket looks relevant). Furthermore it doesn't make sense to have Content-Disposition with 3xx either so the final fix checks if response is in 2xx range.

            People

            • Assignee:
              rstoya05-aop Rossen Stoyanchev
              Reporter:
              rstoya05-aop Rossen Stoyanchev
              Last updater:
              St├ęphane Nicoll
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 17 weeks, 5 days ago