From 124574e345d1a9601de968d97fe6631c78af88bc Mon Sep 17 00:00:00 2001
From: Dave Syer <dsyer@pivotal.io>
Date: Thu, 5 Nov 2015 07:56:33 +0100
Subject: [PATCH] Add mediaTypes (extension to media type mapping) in MVC
 resources

Allows users to configure "allowed" file extensions for controller
mappings, so that browsers will not switch to downloading "f.txt"
(part of the recent RFD attack fixes in Spring MVC).

See gh-4220
---
 .../autoconfigure/web/ResourceProperties.java   |  5 +----
 .../web/WebMvcAutoConfiguration.java            | 11 +++++++++++
 .../autoconfigure/web/WebMvcProperties.java     | 17 +++++++++++++++++
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ResourceProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ResourceProperties.java
index d7182b6a7b2..e5c580203ee 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ResourceProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ResourceProperties.java
@@ -19,10 +19,7 @@ package org.springframework.boot.autoconfigure.web;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
 /**
- * Properties used to configure resource handling.
- *
- * @author Phillip Webb
- * @since 1.1.0
+ * Properties used to configure resource handling0
  */
 @ConfigurationProperties(prefix = "spring.resources", ignoreUnknownFields = false)
 public class ResourceProperties {
diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration.java
index b14e9faa02d..8c041a5e30b 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration.java
@@ -22,6 +22,7 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.List;
+import java.util.Map;
 
 import javax.servlet.Servlet;
 
@@ -56,6 +57,7 @@ import org.springframework.core.io.ResourceLoader;
 import org.springframework.format.Formatter;
 import org.springframework.format.FormatterRegistry;
 import org.springframework.format.datetime.DateFormatter;
+import org.springframework.http.MediaType;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.util.StringUtils;
 import org.springframework.validation.DefaultMessageCodesResolver;
@@ -67,6 +69,7 @@ import org.springframework.web.servlet.DispatcherServlet;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.View;
 import org.springframework.web.servlet.ViewResolver;
+import org.springframework.web.servlet.config.annotation.ContentNegotiationConfigurer;
 import org.springframework.web.servlet.config.annotation.DelegatingWebMvcConfiguration;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
@@ -169,6 +172,14 @@ public class WebMvcAutoConfiguration {
 			converters.addAll(this.messageConverters.getConverters());
 		}
 
+		@Override
+		public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
+			Map<String, MediaType> mediaTypes = this.mvcProperties.getMediaTypes();
+			for (String extension : mediaTypes.keySet()) {
+				configurer.mediaType(extension, mediaTypes.get(extension));
+			}
+		}
+
 		@Bean
 		@ConditionalOnMissingBean(InternalResourceViewResolver.class)
 		public InternalResourceViewResolver defaultViewResolver() {
diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcProperties.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcProperties.java
index ecd61867424..519a4a2c2be 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcProperties.java
@@ -16,7 +16,11 @@
 
 package org.springframework.boot.autoconfigure.web;
 
+import java.util.LinkedHashMap;
+import java.util.Map;
+
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.http.MediaType;
 import org.springframework.validation.DefaultMessageCodesResolver;
 
 /**
@@ -49,6 +53,11 @@ public class WebMvcProperties {
 	 */
 	private boolean ignoreDefaultModelOnRedirect = true;
 
+	/**
+	 * Maps file extensions to media types for content negotiation, e.g. yml->text/yaml.
+	 */
+	private Map<String, MediaType> mediaTypes = new LinkedHashMap<String, MediaType>();
+
 	public DefaultMessageCodesResolver.Format getMessageCodesResolverFormat() {
 		return this.messageCodesResolverFormat;
 	}
@@ -82,4 +91,12 @@ public class WebMvcProperties {
 		this.ignoreDefaultModelOnRedirect = ignoreDefaultModelOnRedirect;
 	}
 
+	public Map<String, MediaType> getMediaTypes() {
+		return this.mediaTypes;
+	}
+
+	public void setMediaTypes(Map<String, MediaType> mediaTypes) {
+		this.mediaTypes = mediaTypes;
+	}
+
 }