Skip Content-Disposition header if status != 2xx

Issue: SPR-13588

Author: rstoyanchev

spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java

@@ -315,11 +315,12 @@ private MediaType getMostSpecificMediaType(MediaType acceptType, MediaType produ
 	}
 
 	/**
-	 * Check if the path has a file extension and whether the extension is either
-	 * {@link #WHITELISTED_EXTENSIONS whitelisted} or
-	 * {@link ContentNegotiationManager#getAllFileExtensions() explicitly
-	 * registered}. If not add a 'Content-Disposition' header with a safe
-	 * attachment file name ("f.txt") to prevent RFD exploits.
+	 * Check if the path has a file extension and whether the extension is
+	 * either {@link #WHITELISTED_EXTENSIONS whitelisted} or explicitly
+	 * {@link ContentNegotiationManager#getAllFileExtensions() registered}.
+	 * If not, and the status is in the 2xx range, a 'Content-Disposition'
+	 * header with a safe attachment file name ("f.txt") is added to prevent
+	 * RFD exploits.
 	 */
 	private void addContentDispositionHeader(ServletServerHttpRequest request,
 			ServletServerHttpResponse response) {
@@ -329,6 +330,16 @@ private void addContentDispositionHeader(ServletServerHttpRequest request,
 			return;
 		}
 
+		try {
+			int status = response.getServletResponse().getStatus();
+			if (status < 200 || status > 299) {
+				return;
+			}
+		}
+		catch (Throwable ex) {
+			// Ignore
+		}
+
 		HttpServletRequest servletRequest = request.getServletRequest();
 		String requestUri = RAW_URL_PATH_HELPER.getOriginatingRequestUri(servletRequest);