Skip to content

RequestDelegateFactory should return "415 Unsupported Media Type" response when parameter binding and the request isn't JSON #35856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
DamianEdwards opened this issue Aug 27, 2021 · 0 comments · Fixed by #35976
Closed

RequestDelegateFactory should return "415 Unsupported Media Type" response when parameter binding and the request isn't JSON #35856

DamianEdwards opened this issue Aug 27, 2021 · 0 comments · Fixed by #35976
Assignees
@BrennanConroy
Labels
area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc bug This issue describes a behavior which is not expected - a bug. feature-minimal-actions Controller-like actions for endpoint routing old-area-web-frameworks-do-not-use *DEPRECATED* This label is deprecated in favor of the area-mvc and area-minimal labels Priority:1 Work that is critical for the release, but we could probably ship without
Milestone
6.0-rc2

Comments

@DamianEdwards
Copy link
Member

The implicit request body reading done by RequestDelegateFactory to populate FromBody parameters of the route handler blindly assumes the request body format is JSON, even when the request is sent with at Content-Type header that indicates the format is something other than JSON. This leads to a JSON deserialization exception being thrown if a request is sent with, e.g., XML, but the route handler relies on the default parameter binding logic.

Rather than always trying to deserialize the request body as JSON, the Content-Type header should first be checked and if it's not JSON, a "415 Unsupported Media Type" response should be returned. Note this only applies to the implicit/default request body deserialization logic, not in cases where the parameter is populated by a BindAsync method on the target type.
@DamianEdwards DamianEdwards added feature-minimal-actions Controller-like actions for endpoint routing old-area-web-frameworks-do-not-use *DEPRECATED* This label is deprecated in favor of the area-mvc and area-minimal labels labels Aug 27, 2021
@DamianEdwards DamianEdwards added this to the 6.0-rc2 milestone Aug 27, 2021
@DamianEdwards DamianEdwards mentioned this issue Aug 27, 2021
Closed
@rafikiassumani-msft rafikiassumani-msft added bug This issue describes a behavior which is not expected - a bug. Priority:1 Work that is critical for the release, but we could probably ship without labels Aug 30, 2021
@BrennanConroy BrennanConroy mentioned this issue Aug 31, 2021
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Oct 2, 2021
@amcasey amcasey added the area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc label Jun 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@BrennanConroy BrennanConroy

Labels
area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc bug This issue describes a behavior which is not expected - a bug. feature-minimal-actions Controller-like actions for endpoint routing old-area-web-frameworks-do-not-use *DEPRECATED* This label is deprecated in favor of the area-mvc and area-minimal labels Priority:1 Work that is critical for the release, but we could probably ship without
Projects
None yet
Milestone
6.0-rc2
Development

Successfully merging a pull request may close this issue.

Properly reject non-json FromBody parameter binding dotnet/aspnetcore
4 participants
@DamianEdwards @BrennanConroy @amcasey @rafikiassumani-msft