Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13629

Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.15, 4.1.8, 4.2.2
    • Fix Version/s: 3.2.16, 4.1.9, 4.2.3
    • Component/s: Web
    • Labels:
    • Last commented by a User:
      false

      Description

      The fix to protect against RFD exploits (SPR-13548) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

      By default ".html" is not whitelisted since a controller method returning String can be rendered as any requested content type (since StringHttpMessageConverter accepts "/") and in the case of HTML that can lead to XSS and RFD attacks.

      However as commented under Spring Boot #4220 we should consider ways to make it straight-forward to render HTML via @ResponseBody when that is the actual intent.

      https://github.com/spring-projects/spring-boot/issues/4220#issuecomment-152812708

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rstoya05-aop Rossen Stoyanchev
                Reporter:
                rstoya05-aop Rossen Stoyanchev
                Last updater:
                St├ęphane Nicoll
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  2 years, 28 weeks, 4 days ago