Description
Rossen Stoyanchev opened SPR-13588 and commented
The fix to protect against RFD exploits (#18124) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.
The URL checked for extensions is always the original URL even in the case of a forwarded request. In the case of an ERROR dispatch, Servlet containers are expected to set up the same request attributes as for forwarded requests.
Since Spring Boot relies on ERROR dispatches, a request with an unknown extension that results in an error can be rendered with a Content-Disposition header. This doesn't appear to cause issues in the browser but we should explore whether we can drop the header in such cases.
Note this issue was originally reported under Spring Boot ticket #4220.
Affects: 3.2.15, 4.1.8, 4.2.2
Issue Links:
- Skip Content-Disposition header when requestUri is the context and/or the servlet path [SPR-13612] #18190 Skip Content-Disposition header when requestUri is the context and/or the servlet path ("is duplicated by")
- Content-Disposition header causes download in browser for Spring Boot Actuator endpoints [SPR-13587] #18164 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints
- Protect against RFD exploits [SPR-13548] #18124 Protect against RFD exploits