Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
Having an endpoint with Minimal API and IFormFile:
app.MapPost("/upload", (IFormFile file) => "ok");
Sending a request with incorrect Content-Type, ie:
curl --request POST 'http://localhost:5000/upload' --header 'Content-Type: foo'
will return 415 status, as expected. However, missing or empty (spaces) Content-Type, ie:
curl --request POST 'http://localhost:5000/upload'
curl --request POST 'http://localhost:5000/upload' --header 'Content-Type:'
curl --request POST 'http://localhost:5000/upload' --header 'Content-Type: '
will throw InvalidOperationException and return 500. I am not 100% familiar with the code in this area (yet), but my understanding is that routing constraint won't exclude the endpoint for missing/empty Content-type, and then parameter binding will throw, while attempting to read HttpRequest.Form. The exception thrown is related to this issue: #49096
Tried changing the signature, with attribute and optional, same behaviour:
app.MapPost("/upload", ([FromForm] IFormFile file) => "ok");
app.MapPost("/upload", ([FromForm] IFormFile? file) => "ok");
app.MapPost("/upload", (IFormFile? file) => "ok");
Expected Behavior
I expect that for endpoints with IFormFile (or its variations like IFormFileCollection) parameters, only valid Content-Type, ie. Content-Type: multipart/form-data; ... will be allowed, excluding missing or empty Content-Type headers. Only valid Content-Type would result in binding parameters from form
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
8.0.101
Anything else?
Checked this issue: #39430 but didn't find this explicitly.
I am happy to contribute, but first would need confirmation that this is indeed a bug and not a design decision I am unaware of 😃