Issue

HTML file stored directly in the Oak repository does not open in the Browser. Instead, it is downloaded in 6.1 SP2 and later versions.

Environment

AEM 6.x

Cause

It is an intended change in AEM 6.2. Even for 6.1, the same change applies to Service Pack 2 and later patches. 

It was introduced as a part of Sling Security Fix.

https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr: data

https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths

 

Other customers reported it as a security issue. 

  1. They identified that malicious files can potentially be uploaded by using the functionality.
  2. Access the uploaded file through the URL mentioned above and verify that the file gets executed.

Resolution

Engineering team fixed the issue and implemented this change and by default the file gets downloaded instead of opening up in the browser.

It comes through the following OSGI configuration: 

http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter

The checked box - Enable Content Disposition for all paths is causing this change in behavior, which is intended.
 

To revert to old behavior:

If one is OK to bear this security issue, one can clear the check box and the file gets directly opened in the browser instead of getting downloaded. Hence, meeting your requirements.

이 작업에는 Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License의 라이센스가 부여되었습니다.  Twitter™ 및 Facebook 게시물은 Creative Commons 약관을 적용받지 않습니다.

법적 고지 사항   |   온라인 개인 정보 보호 정책