Closed
Description
Rossen Stoyanchev opened SPR-13548 and commented
For details and concrete examples of RFD attacks see the RFD paper from Trustwave.
For information specific to Spring MVC see the CVE-2015-5211 security report.
Affects: 3.2.14, 4.1.7, 4.2.1
Issue Links:
- Content Disposition header being added on some urls...did not behave this way in 4.2.1 [SPR-13647] #18224 Content Disposition header being added on some urls...did not behave this way in 4.2.1
- Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions [SPR-13629] #18207 Content-Disposition added for
@ResponseBodymethods explicitly mapped to ".html" or other extensions - Content-Disposition header causes download in browser for Spring Boot Actuator endpoints [SPR-13587] #18164 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints
- Skip Content-Disposition header when status != 2xx [SPR-13588] #18165 Skip Content-Disposition header when status != 2xx
- Content-Disposition with fixed file name "f.txt" causes confusion [SPR-13643] #18220 Content-Disposition with fixed file name "f.txt" causes confusion