Skip to content

Skip Content-Disposition header when status != 2xx [SPR-13588] #18165

Closed
@spring-projects-issues

Description

@spring-projects-issues

Rossen Stoyanchev opened SPR-13588 and commented

The fix to protect against RFD exploits (#18124) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

The URL checked for extensions is always the original URL even in the case of a forwarded request. In the case of an ERROR dispatch, Servlet containers are expected to set up the same request attributes as for forwarded requests.

Since Spring Boot relies on ERROR dispatches, a request with an unknown extension that results in an error can be rendered with a Content-Disposition header. This doesn't appear to cause issues in the browser but we should explore whether we can drop the header in such cases.

Note this issue was originally reported under Spring Boot ticket #4220.


Affects: 3.2.15, 4.1.8, 4.2.2

Issue Links:

Referenced from: commits a879897, 050e79e

Backported to: 4.1.9, 3.2.16

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions