Whitelist extension if present in the request mapping

rstoyanchev · rstoyanchev · commit d500d523e7b3 · 2015-11-06T12:45:40.000-05:00
We know skip the Content-Disposition header for any extension if the
chosen request mapping explicitly contains the URl extension.

Issue: SPR-13629
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java
@@ -311,13 +311,12 @@ private boolean safeExtension(HttpServletRequest request, String extension) {
 		if (this.safeExtensions.contains(extension)) {
 			return true;
 		}
+		String pattern = (String) request.getAttribute(HandlerMapping.BEST_MATCHING_PATTERN_ATTRIBUTE);
+		if (pattern != null && pattern.endsWith("." + extension)) {
+			return true;
+		}
 		if (extension.equals("html")) {
-			String name = HandlerMapping.BEST_MATCHING_PATTERN_ATTRIBUTE;
-			String pattern = (String) request.getAttribute(name);
-			if (pattern != null && pattern.endsWith(".html")) {
-				return true;
-			}
-			name = HandlerMapping.PRODUCIBLE_MEDIA_TYPES_ATTRIBUTE;
+			String name = HandlerMapping.PRODUCIBLE_MEDIA_TYPES_ATTRIBUTE;
 			Set<MediaType> mediaTypes = (Set<MediaType>) request.getAttribute(name);
 			if (!CollectionUtils.isEmpty(mediaTypes) && mediaTypes.contains(MediaType.TEXT_HTML)) {
 				return true;
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/ServletAnnotationControllerHandlerMethodTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/ServletAnnotationControllerHandlerMethodTests.java
@@ -1687,6 +1687,32 @@ public void initialize(GenericWebApplicationContext wac) {
 		assertArrayEquals(content, response.getContentAsByteArray());
 	}
 
+	@Test
+	public void responseBodyAsTextWithCssExtension() throws Exception {
+		initServlet(new ApplicationContextInitializer<GenericWebApplicationContext>() {
+			@Override
+			public void initialize(GenericWebApplicationContext wac) {
+				ContentNegotiationManagerFactoryBean factoryBean = new ContentNegotiationManagerFactoryBean();
+				factoryBean.afterPropertiesSet();
+				RootBeanDefinition adapterDef = new RootBeanDefinition(RequestMappingHandlerAdapter.class);
+				adapterDef.getPropertyValues().add("contentNegotiationManager", factoryBean.getObject());
+				wac.registerBeanDefinition("handlerAdapter", adapterDef);
+			}
+		}, TextRestController.class);
+
+		byte[] content = "body".getBytes(Charset.forName("ISO-8859-1"));
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/a4.css");
+		request.setContent(content);
+		MockHttpServletResponse response = new MockHttpServletResponse();
+
+		getServlet().service(request, response);
+
+		assertEquals(200, response.getStatus());
+		assertEquals("text/css", response.getContentType());
+		assertNull(response.getHeader("Content-Disposition"));
+		assertArrayEquals(content, response.getContentAsByteArray());
+	}
+
 	/*
 	 * Controllers
 	 */
@@ -3142,6 +3168,11 @@ public String a2(@RequestBody String body) {
 		public String a3(@RequestBody String body) throws IOException {
 			return body;
 		}
+
+		@RequestMapping(value = "/a4.css", method = RequestMethod.GET)
+		public String a4(@RequestBody String body) {
+			return body;
+		}
 	}
 
 
