Skip to content

Skip Content-Disposition header when status != 2xx [SPR-13588] #18165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spring-projects-issues opened this issue Oct 19, 2015 · 3 comments
Closed

Skip Content-Disposition header when status != 2xx [SPR-13588] #18165

spring-projects-issues opened this issue Oct 19, 2015 · 3 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Milestone
4.2.3

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Oct 19, 2015
edited
Loading

Rossen Stoyanchev opened SPR-13588 and commented

The fix to protect against RFD exploits (#18124) introduced a "Content-Disposition:attachment;filename=f.txt" response header for @ResponseBody methods where the URL appears to have an extension that is neither whitelisted by default nor explicitly registered by the application.

The URL checked for extensions is always the original URL even in the case of a forwarded request. In the case of an ERROR dispatch, Servlet containers are expected to set up the same request attributes as for forwarded requests.

Since Spring Boot relies on ERROR dispatches, a request with an unknown extension that results in an error can be rendered with a Content-Disposition header. This doesn't appear to cause issues in the browser but we should explore whether we can drop the header in such cases.

Note this issue was originally reported under Spring Boot ticket #4220.

Affects: 3.2.15, 4.1.8, 4.2.2

Issue Links:

Referenced from: commits a879897, 050e79e

Backported to: 4.1.9, 3.2.16
@spring-projects-issues
Copy link
Collaborator Author

Rob Winch commented

I'm not sure this is the best idea since the error page might contain reflected input.

@spring-projects-issues
Copy link
Collaborator Author

Rossen Stoyanchev commented

I guess the question is whether the download behavior is different for status 4xx and 5xx. That includes the content types for which specific browsers may force a download (section 2.3.1 in the RFD paper) and/or the hyperlink "download" attribute. If an error status precludes a download, then presumably there is no need for a content-disposition header.

@spring-projects-issues
Copy link
Collaborator Author

Rossen Stoyanchev commented

Browsers I tested with (Firefox, Chrome, IE 7/8/9) don't seem to switch to download when status is 4xx or 5xx. In Firefox/Chrome the presence of a Content-Disposition header actually seems to be treated as an error. In Firefox it shows as 404 (this ticket looks relevant). Furthermore it doesn't make sense to have Content-Disposition with 3xx either so the final fix checks if response is in 2xx range.

@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement in: web Issues in web modules (web, webmvc, webflux, websocket) labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 4.2.3 milestone Jan 11, 2019
This was referenced Jan 11, 2019
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Projects
None yet
Milestone
4.2.3
Development

No branches or pull requests
2 participants
@rstoyanchev @spring-projects-issues