Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Endpoints that accept empty bodies also accept the empty bodies with Content-Type: application/json, which seems suspect #16393

Open
reivilibre opened this issue Sep 27, 2023 · 0 comments
Open

Endpoints that accept empty bodies also accept the empty bodies with Content-Type: application/json, which seems suspect #16393

reivilibre opened this issue Sep 27, 2023 · 0 comments
Labels
T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks.

Comments

@reivilibre
Copy link
Contributor

reivilibre commented Sep 27, 2023
edited
Loading

e.g. Complement sends POST /forget without a JSON body, but it sets Content-Type: application/json anyway. Synapse is happy with that, but arguably shouldn't be.
(Ignore the fact that this request is meant to require a JSON body #16366 for now)

It seems like we should hold clients to a JSON-encoded body if they go so far as to set the content-type in the request.

As at Synapse v1.92.

As a soft proposal, we could add warnings when this is violated to start with so we can track down any clients that might be relying on this.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erikjohnston @reivilibre