Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13629

Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.15, 4.1.8, 4.2.2
    • Fix Version/s: 3.2.16, 4.1.9, 4.2.3
    • Component/s: Web
    • Labels:
    • Last commented by a User:
      true

      Description

      The fix to protect against RFD exploits (SPR-13548) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

      By default ".html" is not whitelisted since a controller method returning String can be rendered as any requested content type (since StringHttpMessageConverter accepts "/") and in the case of HTML that can lead to XSS and RFD attacks.

      However as commented under Spring Boot #4220 we should consider ways to make it straight-forward to render HTML via @ResponseBody when that is the actual intent.

      https://github.com/spring-projects/spring-boot/issues/4220#issuecomment-152812708

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rstoya05-aop Rossen Stoyanchev
              Reporter:
              rstoya05-aop Rossen Stoyanchev
              Last updater:
              Spring Issues Spring Issues
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                3 years, 24 weeks, 4 days ago