Skip to content

Content-Disposition header causes download in browser for Spring Boot Actuator endpoints [SPR-13587] #18164

Closed
@spring-projects-issues

Description

@spring-projects-issues

Rossen Stoyanchev opened SPR-13587 and commented

The fix to protect against RFD exploits (#18124) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

Spring Boot Actuator exposes many endpoints that naturally contain dots and do not represent an extension. When such a URL is typed in a browser it causes content to be downloaded as "f.txt" rather than rendered.

Several example mappings in Boot:

/metrics/{name:.*}
/env/{name:.*}
/diff/{fromVersion}/{toVersion}

We need to consider ways to make the fix for RFD more flexible with this case in mind (and possible others that might yet be reported), without compromising the security of the application. For once it looks like Spring Boot metrics aren't exposed to RFD since the metric name in the URL has to match a known metric so for example appending a random extension should result in a 404.

Note this issue was originally reported under Spring Boot ticket #4220.


Affects: 4.1.8, 4.2.2

Issue Links:

Referenced from: commits 1489e29, 3a919a4, 92ca537

Backported to: 4.1.9, 3.2.16

1 votes, 7 watchers

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions