content types need to be ranged over in case of ones with a ';' in them #234
Conversation
There was a problem hiding this comment.
Only issue I see is that this takes the complexity from constant time to quadratic. If this is being run on every request, that could start to be a problem (or an attack vector - e.g. sending Content-Type: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; with a larger DDOS).
If you agree that it's a problem, I propose splitting on the semicolon and just using the first substring. That keeps things constant-type.
|
Ah, yes, good point. Didn't even cross my mind. Good catch. |
default_context.go
Outdated
| if b, ok := binders[strings.TrimSpace(c)]; ok { | ||
| return b(d.Request(), value) | ||
| } | ||
| cts := strings.Split(ct, ";")[0] |
There was a problem hiding this comment.
Did you test this for empty string "ct"? I'm afraid it will panic
There was a problem hiding this comment.
Splitting on an empty string returns a slice that has 1 empty string element in it:
https://play.golang.org/p/_y55t5_kC9
Still, I'll wrap it anyway, just to prevent future peeps from questioning at it.
There was a problem hiding this comment.
if content type contains charset like "application/json; charset=utf-8", then charset will not be considered.
|
@markbates I opened a PR into this branch to check the more specific scenario that I was thinking of. It looks like it did not error, so I learned something today :-) |
No description provided.