[SPR-13629] Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions - Spring JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Complete
Affects Version/s: 3.2.15, 4.1.8, 4.2.2
Fix Version/s: 3.2.16, 4.1.9, 4.2.3
Component/s: Web
Labels:
- RFD

Last commented by a User:
true

Description

The fix to protect against RFD exploits (~~SPR-13548~~) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

By default ".html" is not whitelisted since a controller method returning String can be rendered as any requested content type (since StringHttpMessageConverter accepts "/") and in the case of HTML that can lead to XSS and RFD attacks.

However as commented under Spring Boot #4220 we should consider ways to make it straight-forward to render HTML via @ResponseBody when that is the actual intent.

https://github.com/spring-projects/spring-boot/issues/4220#issuecomment-152812708

Attachments

Issue Links

is duplicated by

SPR-13645 Behavior change to Content-Disposition on @RequestMapping endpoint

Resolved

is related to

SPR-13587 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints

Closed

relates to

SPR-13548 Protect against RFD exploits

Closed

Activity

People

Assignee:: Rossen Stoyanchev

Reporter:: Rossen Stoyanchev

Last updater:: Spring Issues

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 01/Nov/15 2:08 PM

Updated:: 15/Jan/19 5:29 PM

Resolved:: 06/Nov/15 6:06 PM

Days since last comment:: 3 years, 24 weeks, 4 days ago