Skip Content-Disposition header if status != 2xx

Issue: SPR-13588
9 years ago · 050e79e45e
parent 994a11da3e
commit 050e79e45e
1 changed files with 16 additions and 5 deletions
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java
@ -315,11 +315,12 @@ public abstract class AbstractMessageConverterMethodProcessor extends AbstractMe
 	}

 	/**
-	 * Check if the path has a file extension and whether the extension is either
-	 * {@link #WHITELISTED_EXTENSIONS whitelisted} or
-	 * {@link ContentNegotiationManager#getAllFileExtensions() explicitly
-	 * registered}. If not add a 'Content-Disposition' header with a safe
-	 * attachment file name ("f.txt") to prevent RFD exploits.
+	 * Check if the path has a file extension and whether the extension is
+	 * either {@link #WHITELISTED_EXTENSIONS whitelisted} or explicitly
+	 * {@link ContentNegotiationManager#getAllFileExtensions() registered}.
+	 * If not, and the status is in the 2xx range, a 'Content-Disposition'
+	 * header with a safe attachment file name ("f.txt") is added to prevent
+	 * RFD exploits.
 	 */
 	private void addContentDispositionHeader(ServletServerHttpRequest request,
 			ServletServerHttpResponse response) {
@ -329,6 +330,16 @@ public abstract class AbstractMessageConverterMethodProcessor extends AbstractMe
 			return;
 		}

+		try {
+			int status = response.getServletResponse().getStatus();
+			if (status < 200 || status > 299) {
+				return;
+			}
+		}
+		catch (Throwable ex) {
+			// Ignore
+		}
+
 		HttpServletRequest servletRequest = request.getServletRequest();
 		String requestUri = RAW_URL_PATH_HELPER.getOriginatingRequestUri(servletRequest);