Issue

HTML file stored directly in the Oak repository does not open in the Browser. Instead, it is downloaded in 6.1 SP2 and later versions.

Environment

AEM 6.x

Cause

It is an intended change in AEM 6.2. Even for 6.1, the same change applies to Service Pack 2 and later patches. 

It was introduced as a part of Sling Security Fix.

https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr: data

https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths

 

Other customers reported it as a security issue. 

  1. They identified that malicious files can potentially be uploaded by using the functionality.
  2. Access the uploaded file through the URL mentioned above and verify that the file gets executed.

Resolution

Engineering team fixed the issue and implemented this change and by default the file gets downloaded instead of opening up in the browser.

It comes through the following OSGI configuration: 

http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter

The checked box - Enable Content Disposition for all paths is causing this change in behavior, which is intended.
 

To revert to old behavior:

If one is OK to bear this security issue, one can clear the check box and the file gets directly opened in the browser instead of getting downloaded. Hence, meeting your requirements.

Questo prodotto è concesso in licenza in base alla licenza di Attribuzione-Non commerciale-Condividi allo stesso modo 3.0 Unported di Creative Commons.  I post su Twitter™ e Facebook non sono coperti dai termini di Creative Commons.

Note legali   |   Informativa sulla privacy online