Do not attempt to decode wildcard content-types as form-data
Backport Bot / build (push) Waiting to run
Details
Build and Deploy Snapshot / Build and Deploy Snapshot (push) Waiting to run
Details
Build and Deploy Snapshot / Verify (push) Blocked by required conditions
Details
CI / ${{ matrix.os.name}} | Java ${{ matrix.java.version}} (map[toolchain:false version:17], map[id:ubuntu-latest name:Linux]) (push) Waiting to run
Details
CI / ${{ matrix.os.name}} | Java ${{ matrix.java.version}} (map[toolchain:true version:21], map[id:ubuntu-latest name:Linux]) (push) Waiting to run
Details
CI / ${{ matrix.os.name}} | Java ${{ matrix.java.version}} (map[toolchain:true version:23], map[id:ubuntu-latest name:Linux]) (push) Waiting to run
Details
Deploy Docs / Dispatch docs deployment (push) Waiting to run
Details
Backport Bot / build (push) Waiting to run
Details
Build and Deploy Snapshot / Build and Deploy Snapshot (push) Waiting to run
Details
Build and Deploy Snapshot / Verify (push) Blocked by required conditions
Details
CI / ${{ matrix.os.name}} | Java ${{ matrix.java.version}} (map[toolchain:false version:17], map[id:ubuntu-latest name:Linux]) (push) Waiting to run
Details
CI / ${{ matrix.os.name}} | Java ${{ matrix.java.version}} (map[toolchain:true version:21], map[id:ubuntu-latest name:Linux]) (push) Waiting to run
Details
CI / ${{ matrix.os.name}} | Java ${{ matrix.java.version}} (map[toolchain:true version:23], map[id:ubuntu-latest name:Linux]) (push) Waiting to run
Details
Deploy Docs / Dispatch docs deployment (push) Waiting to run
Details
Prior to this commit, the `DefaultServerWebExchange` would attempt to decode request bodies as form-data or multipart of the request content-type was compatible with the expected media types. If requests are sent with an invalid wildcard content-type such as "*/*" or "multipart/*", we should not attempt to decode here. Fixes gh-34660
This commit is contained in:
Brian Clozel
parent
faada70d59
commit
696692f1ed
|
|
@ -149,11 +149,11 @@ public class DefaultServerWebExchange implements ServerWebExchange {
|
|||
ServerCodecConfigurer configurer, String logPrefix) {
|
||||
|
||||
MediaType contentType = getContentType(request);
|
||||
if (contentType == null || !contentType.isCompatibleWith(MediaType.APPLICATION_FORM_URLENCODED)) {
|
||||
if (contentType == null || !contentType.isConcrete() || !contentType.isCompatibleWith(MediaType.APPLICATION_FORM_URLENCODED)) {
|
||||
return EMPTY_FORM_DATA;
|
||||
}
|
||||
|
||||
HttpMessageReader<MultiValueMap<String, String>> reader = getReader(configurer, MediaType.APPLICATION_FORM_URLENCODED, FORM_DATA_TYPE);
|
||||
HttpMessageReader<MultiValueMap<String, String>> reader = getReader(configurer, contentType, FORM_DATA_TYPE);
|
||||
if (reader == null) {
|
||||
return Mono.error(new IllegalStateException("No HttpMessageReader for " + contentType));
|
||||
}
|
||||
|
|
@ -167,7 +167,7 @@ public class DefaultServerWebExchange implements ServerWebExchange {
|
|||
private Mono<MultiValueMap<String, Part>> initMultipartData(ServerCodecConfigurer configurer, String logPrefix) {
|
||||
|
||||
MediaType contentType = getContentType(this.request);
|
||||
if (contentType == null || !contentType.getType().equalsIgnoreCase("multipart")) {
|
||||
if (contentType == null || !contentType.isConcrete() || !contentType.getType().equalsIgnoreCase("multipart")) {
|
||||
return EMPTY_MULTIPART_DATA;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ import org.junit.jupiter.api.Test;
|
|||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.codec.ServerCodecConfigurer;
|
||||
import org.springframework.http.codec.multipart.Part;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
import org.springframework.web.server.i18n.AcceptHeaderLocaleContextResolver;
|
||||
|
|
@ -60,14 +61,25 @@ class DefaultServerWebExchangeTests {
|
|||
}
|
||||
|
||||
@Test // gh-34660
|
||||
void useFormDataMessageReaderWhenAllContentType() {
|
||||
void shouldNotDecodeFormDataWhenContentTypeNotConcrete() {
|
||||
MockServerHttpRequest request = MockServerHttpRequest
|
||||
.post("https://example.com")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.ALL_VALUE)
|
||||
.body("project=spring");
|
||||
ServerWebExchange exchange = createExchange(request);
|
||||
MultiValueMap<String, String> body = exchange.getFormData().block();
|
||||
assertThat(body.get("project")).contains("spring");
|
||||
assertThat(body).isEmpty();
|
||||
}
|
||||
|
||||
@Test // gh-34660
|
||||
void shouldNotDecodeMultipartWhenContentTypeNotConcrete() {
|
||||
MockServerHttpRequest request = MockServerHttpRequest
|
||||
.post("https://example.com")
|
||||
.header(HttpHeaders.CONTENT_TYPE, "multipart/*")
|
||||
.body("project=spring");
|
||||
ServerWebExchange exchange = createExchange(request);
|
||||
MultiValueMap<String, Part> body = exchange.getMultipartData().block();
|
||||
assertThat(body).isEmpty();
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue