Content Disposition header being added on some urls...did not behave this way in 4.2.1 [SPR-13647]

[spring-projects-issues]

Ryan Kaltreider opened SPR-13647 and commented

given the following urls

/users/user_name@website.com - Adds Content-Disposition f.txt
/users/user_name@website.com/ - functions as expected.

Controller Request Mapping is ```
/users/{userId}

These urls both function as expected in 4.2.1

Please let me know if you need any other info.  In my mvc config i have suffix matching set to false.

---

Affects: 4.2.2

Issue Links:

• Content-Disposition header causes download in browser for Spring Boot Actuator endpoints [SPR-13587] #18164 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints ("duplicates")
• Protect against RFD exploits [SPR-13548] #18124 Protect against RFD exploits

[spring-projects-issues]

Ryan Kaltreider commented

Sorry, i think this might be a duplicate of #18165...apologies if it is.

[spring-projects-issues]

Rossen Stoyanchev commented

This is a result of the fix for #18124. It's not an exact duplicate of #18165 probably which says that Content-Disposition should not be added for responses not in the 200-299 range. This is however a duplicate of #18164.

Alas, the Content-Disposition header is necessary for RFD protection. We've just updated the docs with information on that and there is also the CVE report.

A key assumption is that such Content-Disposition header doesn't affect REST API calls. However if typed into a browser there is the side effect. Could you confirm the impact of the Content-Disposition header in your case? Thanks.

[spring-projects-issues]

Rossen Stoyanchev commented

Resolving as duplicate of #18164. Feel free to comment however. We also have a fix in the works, follow #18164 for that.