Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13588

Skip Content-Disposition header when status != 2xx

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.15, 4.1.8, 4.2.2
    • Fix Version/s: 3.2.16, 4.1.9, 4.2.3
    • Component/s: Web
    • Labels:
    • Last commented by a User:
      false

      Description

      The fix to protect against RFD exploits (SPR-13548) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

      The URL checked for extensions is always the original URL even in the case of a forwarded request. In the case of an ERROR dispatch, Servlet containers are expected to set up the same request attributes as for forwarded requests.

      Since Spring Boot relies on ERROR dispatches, a request with an unknown extension that results in an error can be rendered with a Content-Disposition header. This doesn't appear to cause issues in the browser but we should explore whether we can drop the header in such cases.

      Note this issue was originally reported under Spring Boot ticket #4220.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rstoya05-aop Rossen Stoyanchev
                Reporter:
                rstoya05-aop Rossen Stoyanchev
                Last updater:
                St├ęphane Nicoll
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  2 years, 30 weeks, 1 day ago