Add mediaTypes (extension to media type mapping) in MVC resources

Allows users to configure "allowed" file extensions for controller
mappings, so that browsers will not switch to downloading "f.txt"
(part of the recent RFD attack fixes in Spring MVC).

See gh-4220

Author: Dave Syer

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ResourceProperties.java

@@ -19,10 +19,7 @@
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
 /**
- * Properties used to configure resource handling.
- *
- * @author Phillip Webb
- * @since 1.1.0
+ * Properties used to configure resource handling0
  */
 @ConfigurationProperties(prefix = "spring.resources", ignoreUnknownFields = false)
 public class ResourceProperties {

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration.java

@@ -22,6 +22,7 @@
 import java.util.Collections;
 import java.util.Date;
 import java.util.List;
+import java.util.Map;
 
 import javax.servlet.Servlet;
 
@@ -56,6 +57,7 @@
 import org.springframework.format.Formatter;
 import org.springframework.format.FormatterRegistry;
 import org.springframework.format.datetime.DateFormatter;
+import org.springframework.http.MediaType;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.util.StringUtils;
 import org.springframework.validation.DefaultMessageCodesResolver;
@@ -67,6 +69,7 @@
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.View;
 import org.springframework.web.servlet.ViewResolver;
+import org.springframework.web.servlet.config.annotation.ContentNegotiationConfigurer;
 import org.springframework.web.servlet.config.annotation.DelegatingWebMvcConfiguration;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
@@ -169,6 +172,14 @@ public void configureMessageConverters(List<HttpMessageConverter<?>> converters)
 			converters.addAll(this.messageConverters.getConverters());
 		}
 
+		@Override
+		public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
+			Map<String, MediaType> mediaTypes = this.mvcProperties.getMediaTypes();
+			for (String extension : mediaTypes.keySet()) {
+				configurer.mediaType(extension, mediaTypes.get(extension));
+			}
+		}
+
 		@Bean
 		@ConditionalOnMissingBean(InternalResourceViewResolver.class)
 		public InternalResourceViewResolver defaultViewResolver() {

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/WebMvcProperties.java

@@ -16,7 +16,11 @@
 
 package org.springframework.boot.autoconfigure.web;
 
+import java.util.LinkedHashMap;
+import java.util.Map;
+
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.http.MediaType;
 import org.springframework.validation.DefaultMessageCodesResolver;
 
 /**
@@ -49,6 +53,11 @@ public class WebMvcProperties {
 	 */
 	private boolean ignoreDefaultModelOnRedirect = true;
 
+	/**
+	 * Maps file extensions to media types for content negotiation, e.g. yml->text/yaml.
+	 */
+	private Map<String, MediaType> mediaTypes = new LinkedHashMap<String, MediaType>();
+
 	public DefaultMessageCodesResolver.Format getMessageCodesResolverFormat() {
 		return this.messageCodesResolverFormat;
 	}
@@ -82,4 +91,12 @@ public void setIgnoreDefaultModelOnRedirect(boolean ignoreDefaultModelOnRedirect
 		this.ignoreDefaultModelOnRedirect = ignoreDefaultModelOnRedirect;
 	}
 
+	public Map<String, MediaType> getMediaTypes() {
+		return this.mediaTypes;
+	}
+
+	public void setMediaTypes(Map<String, MediaType> mediaTypes) {
+		this.mediaTypes = mediaTypes;
+	}
+
 }