[Blazor] Avoid validating antiforgery for non form data content types #55604
Conversation
| if (!context.Request.HasFormContentType) | ||
| { | ||
| context.Response.StatusCode = StatusCodes.Status400BadRequest; | ||
| if (context.RequestServices.GetService<IHostEnvironment>()?.IsDevelopment() == true) |
There was a problem hiding this comment.
There's some logic in EndpointHtmlRenderer.Streaming.cs like this:
var env = httpContext.RequestServices.GetRequiredService<IWebHostEnvironment>();
var options = httpContext.RequestServices.GetRequiredService<IOptions<RazorComponentsServiceOptions>>();
var showDetailedErrors = env.IsDevelopment() || options.Value.DetailedErrors;I guess we should use a similar condition here, and maybe it could be factored out into a common place.
There was a problem hiding this comment.
This is why I hate partial classes, but good call
There was a problem hiding this comment.
I've factored out the code, and put it in a static method, I can't think of a good place to put that logic, so I'm going to just randomly leave it inside EndpointHtmlRenderer and use it in the invoker, if we go through this code again, we can do a clean-up pass.
There was a problem hiding this comment.
Wouldn't we also use ShouldShowDetailedErrors as the condition for whether to emit The request has an incorrect Content-type. to the response here, instead of IsDevelopment on line 171?
There was a problem hiding this comment.
Yes, I updated it in the wrong place
| @@ -205,7 +215,7 @@ private async Task<RequestValidationState> ValidateRequestAsync(HttpContext cont | |||
| { | |||
| context.Response.StatusCode = StatusCodes.Status400BadRequest; | |||
|
|
|||
| if (context.RequestServices.GetService<IHostEnvironment>()?.IsDevelopment() == true) | |||
| if (EndpointHtmlRenderer.ShouldShowDetailedErrors(context)) | |||
There was a problem hiding this comment.
I didn't spot this before but it's good you've updated it
javiercn
force-pushed
the
javiercn/fix-form-content-type
branch
from
d84f88f
to
1c90e08
Compare
| @@ -165,7 +164,9 @@ private async Task<RequestValidationState> ValidateRequestAsync(HttpContext cont | |||
|
|
|||
| if (processPost) | |||
| { | |||
| if (!context.Request.HasFormContentType) | |||
There was a problem hiding this comment.
@captainsafia I think this was triggered by the antiforgery middleware, I believe we should revisit this to avoid throwing and instead return false. It's surprising otherwise and might break existing code, do you have thoughts?
There was a problem hiding this comment.
I think you might be talking about the exception that gets thrown here). If so, I'm a little cautious about changing this behavior given its in the FormFeature shared across the stack as opposed to just being in anti-forgery middleware.
We don't eagerly validate the content type in the anti-forgery middleware (although we could) then we wouldn't fall through to the exception in the FormFeature.
There was a problem hiding this comment.
I might have been confused and thought the issue might have been related to antiforgery, since I saw an exception pop right before.
I'll take another quick look at it and see if I repro it in a simpler way. I throught it was the thing where we poisoned the IFormFeature that was throwing, but I can't find it right now.
Sends bad request if content-type is not valid (like application/json)
Fixes #55582