Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Endpoints that accept empty bodies also accept the empty bodies with Content-Type: application/json, which seems suspect #16393

Open
matrixbot opened this issue Dec 21, 2023 · 0 comments
Labels

Comments

@matrixbot
Copy link
Collaborator

matrixbot commented Dec 21, 2023

This issue has been migrated from #16393.


e.g. Complement sends POST /forget without a JSON body, but it sets Content-Type: application/json anyway. Synapse is happy with that, but arguably shouldn't be.
(Ignore the fact that this request is meant to require a JSON body #16366 for now)

It seems like we should hold clients to a JSON-encoded body if they go so far as to set the content-type in the request.

As at Synapse v1.92.

As a soft proposal, we could add warnings when this is violated to start with so we can track down any clients that might be relying on this.

@matrixbot matrixbot changed the title Dummy issue Endpoints that accept empty bodies also accept the empty bodies with Content-Type: application/json, which seems suspect Dec 22, 2023
@matrixbot matrixbot reopened this Dec 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant