[jira] [Commented] (CXF-8962) HttpClientHTTPConduit sets Content-Type Header for DELETE requests with empty body
[ https://issues.apache.org/jira/browse/CXF-8962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17816362#comment-17816362 ] Andriy Redko commented on CXF-8962: --- [~amichai] Hm ... you could do it like that: {noformat} WebClient.getConfig(client).getRequestContext().put("set.content.type.for.empty.request", true); {noformat} {color:#00}which is actually equivalent to client.getConfiguration().getRequestContext().put(...) {color} > HttpClientHTTPConduit sets Content-Type Header for DELETE requests with empty > body > -- > > Key: CXF-8962 > URL: https://issues.apache.org/jira/browse/CXF-8962 > Project: CXF > Issue Type: Bug > Components: Transports >Affects Versions: 4.0.3 >Reporter: Alonso Gonzalez >Priority: Major > > We call a DELETE endoint of a REST API, but the server rejects the call with > a client error, because CXF sends "Content-Type: text/xml" although the > content is empty (as suggested by RFC 9110). > > The implementation of {{setProtocolHeaders()}} in {{HttpClientHTTPConduit}} > calls {{setProtocolHeadersInBuilder()}} to set the HTTP headers. This methods > computes a "Content-Type" header if the verb is not in the list > KNOWN_HTTP_VERBS_WITH_NO_CONTENT. DELETE is not part of this list although > RFC 9110 states that DELETE requests should not have content [1]. Thus if a > client follows the RFC and sends a DELETE request with no content, CXF will > nonetheless set a Content-Type header. {{Headers#determineContentType}} uses > "text/xml" as fallback if no content type can be computed. > The old implementation {{URLConnectionHTTPConduit}} called a > {{Headers#setProtocolHeadersInConnection}} to set the headers. This method > allowed to omit the "Content-Type" header via the property > "set.content.type.for.empty.request". > > The new implementation should handle DELETE requests with empty body > correctly or evaluate the existing property > "set.content.type.for.empty.request". > > [1] > {quote}Although request message framing is independent of the method used, > content received in a DELETE request has no generally defined semantics, > cannot alter the meaning or target of the request, and might lead some > implementations to reject the request and close the connection because of its > potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A > client SHOULD NOT generate content in a DELETE request unless it is made > directly to an origin server that has previously indicated, in or out of > band, that such a request has a purpose and will be adequately supported. > {quote} > [https://www.rfc-editor.org/rfc/rfc9110.html#name-delete] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (CXF-8962) HttpClientHTTPConduit sets Content-Type Header for DELETE requests with empty body
[ https://issues.apache.org/jira/browse/CXF-8962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17816318#comment-17816318 ] Amichai Rothman commented on CXF-8962: -- This is embarassing but I can't figure out where to set that property on the WebClient... client.getConfiguration().getBus().setProperty() didn't work, client. getConfiguration().getRequestContext().put() didn't work, where are these properties supposed to come from? > HttpClientHTTPConduit sets Content-Type Header for DELETE requests with empty > body > -- > > Key: CXF-8962 > URL: https://issues.apache.org/jira/browse/CXF-8962 > Project: CXF > Issue Type: Bug > Components: Transports >Affects Versions: 4.0.3 >Reporter: Alonso Gonzalez >Priority: Major > > We call a DELETE endoint of a REST API, but the server rejects the call with > a client error, because CXF sends "Content-Type: text/xml" although the > content is empty (as suggested by RFC 9110). > > The implementation of {{setProtocolHeaders()}} in {{HttpClientHTTPConduit}} > calls {{setProtocolHeadersInBuilder()}} to set the HTTP headers. This methods > computes a "Content-Type" header if the verb is not in the list > KNOWN_HTTP_VERBS_WITH_NO_CONTENT. DELETE is not part of this list although > RFC 9110 states that DELETE requests should not have content [1]. Thus if a > client follows the RFC and sends a DELETE request with no content, CXF will > nonetheless set a Content-Type header. {{Headers#determineContentType}} uses > "text/xml" as fallback if no content type can be computed. > The old implementation {{URLConnectionHTTPConduit}} called a > {{Headers#setProtocolHeadersInConnection}} to set the headers. This method > allowed to omit the "Content-Type" header via the property > "set.content.type.for.empty.request". > > The new implementation should handle DELETE requests with empty body > correctly or evaluate the existing property > "set.content.type.for.empty.request". > > [1] > {quote}Although request message framing is independent of the method used, > content received in a DELETE request has no generally defined semantics, > cannot alter the meaning or target of the request, and might lead some > implementations to reject the request and close the connection because of its > potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A > client SHOULD NOT generate content in a DELETE request unless it is made > directly to an origin server that has previously indicated, in or out of > band, that such a request has a purpose and will be adequately supported. > {quote} > [https://www.rfc-editor.org/rfc/rfc9110.html#name-delete] -- This message was sent by Atlassian Jira (v8.20.10#820010)