Skip to content

Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions [SPR-13629] #18207

Closed
@spring-projects-issues

Description

@spring-projects-issues

Rossen Stoyanchev opened SPR-13629 and commented

The fix to protect against RFD exploits (#18124) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

By default ".html" is not whitelisted since a controller method returning String can be rendered as any requested content type (since StringHttpMessageConverter accepts "*/*") and in the case of HTML that can lead to XSS and RFD attacks.

However as commented under Spring Boot #4220 we should consider ways to make it straight-forward to render HTML via @ResponseBody when that is the actual intent.

spring-projects/spring-boot#4220 (comment)


Affects: 3.2.15, 4.1.8, 4.2.2

Issue Links:

Referenced from: commits f2e4da3, 237439e, d500d52, e190f26, 6a9329c, bdb71e9

Backported to: 4.1.9, 3.2.16

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions