Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Breaking change]: Minimal APIs consuming IFormFile or IFormFileCollection parameters require anti-forgery checks #509

Open
1 of 3 tasks
captainsafia opened this issue Nov 27, 2023 · 0 comments
Labels
Breaking change Documented The breaking change has been published to the .NET Core docs

Comments

@captainsafia
Copy link

Description

Minimal API endpoints that consume an IFormFile or IFormFileCollection will now be opted-in to requiring anti-forgery token validation using the new anti-forgery middleware.

Version

.NET 8 RC 1

Previous behavior

Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did not require anti-forgery validation.

New behavior

Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did require anti-forgery validation. An exception will be thrown at startup if the anti-forgery middleware is not registered for an API that defines these input types.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code may require source changes to compile successfully.
  • Behavioral change: Existing binaries may behave differently at run time.

Reason for change

Anti-forgery token validation is a recommended security precaution for APIs that consume data from a form.

Recommended action

Users can opt out of anti-forgery validation for specific endpoints by using the DisableAntiforgery method like so:

var app = WebApplication.Create();

app.MapPost("/", (IFormFile formFile) => ...)
  .DisableAntiforgery();

app.Run();

Affected APIs

None.

@ghost ghost locked as resolved and limited conversation to collaborators Nov 27, 2023
@gewarren gewarren added the Documented The breaking change has been published to the .NET Core docs label Dec 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Breaking change Documented The breaking change has been published to the .NET Core docs
Projects
None yet
Development

No branches or pull requests

2 participants