Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Behavior change to Content-Disposition on @RequestMapping endpoint [SPR-13645] #18222

Closed
spring-projects-issues opened this issue Nov 5, 2015 · 3 comments
Assignees
Labels
in: web status: duplicate

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Nov 5, 2015

David Cole opened SPR-13645 and commented

Prior to 4.2.2, the following code snippet (Groovy) would derive the file name (I believe from the @RequestMapping value) and set the Content-Disposition response header automatically:

    @RequestMapping(value = "{path}/{fileName}.jnlp", method = RequestMethod.GET, produces = "application/x-java-jnlp-file")
    String getJnlpFile(@PathVariable String path, @PathVariable String fileName) {
        //Get the resource content as text
        fileName += ".jnlp"
        def filePath = path + "/" + fileName
        Resource jnlp = getResourceContent(filePath)
        InputStream is = jnlp.inputStream
        String text = is.text
        is.close()

        //Return results after variable replacement
        jnlpSubstitution(path, fileName, text)
    }

Header set in response:
Content-Disposition: attachment;filename=Application.jnlp

After upgrading to 4.2.2 the value of the Content-Disposition header changed to:
Content-Disposition: attachment;filename=f.txt

I was able make a code change to achieve the same result, but the behavior change has forced me to add additional code to set the HttpHeaders and return a ResponseEntity instead of simple text:

    @RequestMapping(value = "{path}/{fileName}.jnlp", method = RequestMethod.GET, produces = "application/x-java-jnlp-file")
    def getJnlpFile(@PathVariable String path, @PathVariable String fileName) {
        //Get the resource content as text
        fileName += ".jnlp"
        HttpHeaders headers = new HttpHeaders()
        headers.set("Content-Disposition", "attachment;filename=$fileName")

        def filePath = path + "/" + fileName
        Resource jnlp = getResourceContent(filePath)
        InputStream is = jnlp.inputStream
        String text = is.text
        is.close()

        //Return results after variable replacement
        text = jnlpSubstitution(path, fileName, text)
        new ResponseEntity<String>(text, headers, HttpStatus.OK)
    }

This seems like a degradation of the behavior to me. Can anyone identify this as a defect, or give instruction on an alternate, cleaner way to achieve the same result?


Affects: 4.2.2

Issue Links:

  • #18207 Content-Disposition added for @ResponseBody methods explicitly mapped to ".html" or other extensions ("duplicates")
@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Nov 6, 2015

Rossen Stoyanchev commented

This is related to the fix for #18124 to protect against RFD attacks that rely on a file extension. We've already applied a fix as part of #18207 where ".html" is explicitly in the mapping. We will generalize that fix so it works the same for any extensions that appears in the mapping. That should address your case.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Nov 6, 2015

Rossen Stoyanchev commented

I've re-opened #18207 with the intent to provide a more general fix for any extension, not just ".html". Hence I'm marking this as a duplicate of that. Please watch #18207 instead. There should be an additional fix for it shortly.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Nov 6, 2015

David Cole commented

Outstanding! Thanks for the information and follow up Rossen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web status: duplicate
Projects
None yet
Development

No branches or pull requests

2 participants