Description
Rossen Stoyanchev opened SPR-13587 and commented
The fix to protect against RFD exploits (#18124) introduced a "Content-Disposition:attachment;filename=f.txt"
response header for @ResponseBody
methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.
Spring Boot Actuator exposes many endpoints that naturally contain dots and do not represent an extension. When such a URL is typed in a browser it causes content to be downloaded as "f.txt" rather than rendered.
Several example mappings in Boot:
/metrics/{name:.*}
/env/{name:.*}
/diff/{fromVersion}/{toVersion}
We need to consider ways to make the fix for RFD more flexible with this case in mind (and possible others that might yet be reported), without compromising the security of the application. For once it looks like Spring Boot metrics aren't exposed to RFD since the metric name in the URL has to match a known metric so for example appending a random extension should result in a 404.
Note this issue was originally reported under Spring Boot ticket #4220.
Affects: 4.1.8, 4.2.2
Issue Links:
- Content Disposition header being added on some urls...did not behave this way in 4.2.1 [SPR-13647] #18224 Content Disposition header being added on some urls...did not behave this way in 4.2.1 ("is duplicated by")
- Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions [SPR-13629] #18207 Content-Disposition added for
@ResponseBody
methods explicitly mapped to ".html" or other extensions - Protect against RFD exploits [SPR-13548] #18124 Protect against RFD exploits
- Content-Disposition with fixed file name "f.txt" causes confusion [SPR-13643] #18220 Content-Disposition with fixed file name "f.txt" causes confusion
- Skip Content-Disposition header when status != 2xx [SPR-13588] #18165 Skip Content-Disposition header when status != 2xx
Referenced from: commits 1489e29, 3a919a4, 92ca537
1 votes, 7 watchers