Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect against RFD exploits [SPR-13548] #18124

spring-projects-issues opened this issue Oct 7, 2015 · 0 comments

Protect against RFD exploits [SPR-13548] #18124

spring-projects-issues opened this issue Oct 7, 2015 · 0 comments


Copy link

@spring-projects-issues spring-projects-issues commented Oct 7, 2015

Rossen Stoyanchev opened SPR-13548 and commented

For details and concrete examples of RFD attacks see the RFD paper from Trustwave.

For information specific to Spring MVC see the CVE-2015-5211 security report.

Affects: 3.2.14, 4.1.7, 4.2.1

Issue Links:

  • #18224 Content Disposition header being added on some urls...did not behave this way in 4.2.1
  • #18207 Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions
  • #18164 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints
  • #18165 Skip Content-Disposition header when status != 2xx
  • #18220 Content-Disposition with fixed file name "f.txt" causes confusion

Backported to: 4.1.8, 3.2.15

@spring-projects-issues spring-projects-issues added this to the 4.2.2 milestone Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants