Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect against RFD exploits [SPR-13548] #18124

Closed
spring-issuemaster opened this issue Oct 7, 2015 · 0 comments

Comments

@spring-issuemaster
Copy link
Collaborator

commented Oct 7, 2015

Rossen Stoyanchev opened SPR-13548 and commented

For details and concrete examples of RFD attacks see the RFD paper from Trustwave.

For information specific to Spring MVC see the CVE-2015-5211 security report.


Affects: 3.2.14, 4.1.7, 4.2.1

Issue Links:

  • #18224 Content Disposition header being added on some urls...did not behave this way in 4.2.1
  • #18207 Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions
  • #18164 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints
  • #18165 Skip Content-Disposition header when status != 2xx
  • #18220 Content-Disposition with fixed file name "f.txt" causes confusion

Backported to: 4.1.8, 3.2.15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.