Skip to content

HTTP 411 POST validation not triggering when request method is not identically capitalized #26803

New issue
New issue
Open
Open
HTTP 411 POST validation not triggering when request method is not identically capitalized#26803
Labels
affected-very-fewThis issue impacts very few customersarea-networkingIncludes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractionsbugThis issue describes a behavior which is not expected - a bug.feature-kestrelseverity-nice-to-haveThis label is used by an internal tool
Milestone
Backlog
@Cyberboss

Description

@Cyberboss
Cyberboss
opened on Oct 12, 2020

Describe the bug

Using the method POST triggers without Content-Length or Transfer-Encoding rejects with HTTP 411 when the method POSt does not

See the validation originally introduced in this commit.

a1c5987

Examples:
Method: POST:

Cyberboss@CYBERSTATIONXVI MINGW64 ~
$ curl -H "Authorization:basic YWRtaW46SVNvbGVtbHlTd2VhclRvRGVsZXRlVGhlRGF0YURpcmVjdG9yeQ==" -H "Api: Tgstation.Server.Api/7.3.2" -v -X POST localhost:5000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::1:5000...
* Connected to localhost (::1) port 5000 (#0)
> POST / HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.70.0
> Accept: */*
> Authorization:basic YWRtaW46SVNvbGVtbHlTd2VhclRvRGVsZXRlVGhlRGF0YURpcmVjdG9yeQ==
> Api: Tgstation.Server.Api/7.3.2
>
  0     0    0     0    0     0      0      0 --:--:--  0:00:11 --:--:--     0* Mark bundle as not supporting multiuse
< HTTP/1.1 411 Length Required
< Connection: close
< Date: Mon, 12 Oct 2020 06:33:48 GMT
< Server: Kestrel
< Content-Length: 0
<
  0     0    0     0    0     0      0      0 --:--:--  0:00:11 --:--:--     0
* Closing connection 0

Method POSt:

Cyberboss@CYBERSTATIONXVI MINGW64 ~
$ curl -H "Authorization:basic YWRtaW46SVNvbGVtbHlTd2VhclRvRGVsZXRlVGhlRGF0YURpcmVjdG9yeQ==" -H "Api: Tgstation.Server.Api/7.3.2" -v -X POSt localhost:5000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::1:5000...
* Connected to localhost (::1) port 5000 (#0)
> POSt / HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.70.0
> Accept: */*
> Authorization:basic YWRtaW46SVNvbGVtbHlTd2VhclRvRGVsZXRlVGhlRGF0YURpcmVjdG9yeQ==
> Api: Tgstation.Server.Api/7.3.2
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 12 Oct 2020 06:34:02 GMT
< Content-Type: application/json; charset=utf-8
< Server: Kestrel
< Transfer-Encoding: chunked
<
{ [293 bytes data]
100   286    0   286    0     0   1100      0 --:--:-- --:--:-- --:--:--  1100{"bearer":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIiwiZXhwIjoiMTYwMjQ4NTM0MiIsIm5iZiI6IjE2MDI0ODQ0NDIiLCJpc3MiOiJUZ3N0YXRpb24uU2VydmVyLkhvc3QiLCJhdWQiOiJUZ3N0YXRpb24uU2VydmVyLkFwaSJ9.dfsYqxMedbVUeo7PN0ibH-xMLx17qXUmbsMUTNRANVs","expiresAt":"2020-10-12T02:49:02.5216723-04:00"}
* Connection #0 to host localhost left intact

Cyberboss@CYBERSTATIONXVI MINGW64 ~
$

Second response is expected of the method running successfully. I would expect the validation performed here to be case in-sensitive. (i.e. both should reject with HTTP 411).

To Reproduce

No bandwidth to currently make a repro, please let me know if more info is required.

Project: https://github.com/tgstation/tgstation-server/tree/843c3f660e30fef8cc525c24bf2275ad668da3cf/src/Tgstation.Server.Host
Dotnet Host Configuration: https://github.com/tgstation/tgstation-server/blob/843c3f660e30fef8cc525c24bf2275ad668da3cf/src/Tgstation.Server.Host/ServerFactory.cs#L62
MVC Configuration: https://github.com/tgstation/tgstation-server/blob/843c3f660e30fef8cc525c24bf2275ad668da3cf/src/Tgstation.Server.Host/Core/Application.cs#L180

Further technical details

  • ASP.NET Core version: 3.1.401
  • dotnet info:
Cyberboss@CYBERSTATIONXVI MINGW64 ~
$ dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   3.1.401
 Commit:    5b6f5e5005

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\3.1.401\

Host (useful for support):
  Version: 3.1.7
  Commit:  fcfdef8d6b

.NET Core SDKs installed:
  2.1.201 [C:\Program Files\dotnet\sdk]
  2.1.202 [C:\Program Files\dotnet\sdk]
  2.1.402 [C:\Program Files\dotnet\sdk]
  2.1.502 [C:\Program Files\dotnet\sdk]
  2.1.504 [C:\Program Files\dotnet\sdk]
  2.1.607 [C:\Program Files\dotnet\sdk]
  2.2.101 [C:\Program Files\dotnet\sdk]
  3.1.100 [C:\Program Files\dotnet\sdk]
  3.1.401 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.7 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
  • The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version: Visual Studio 16.7.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    affected-very-fewThis issue impacts very few customersarea-networkingIncludes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractionsbugThis issue describes a behavior which is not expected - a bug.feature-kestrelseverity-nice-to-haveThis label is used by an internal tool

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions