[jira] [Commented] (CXF-8962) HttpClientHTTPConduit sets Content-Type Header for DELETE requests with empty body

2024-02-10 Thread Andriy Redko (Jira) 


[ 
https://issues.apache.org/jira/browse/CXF-8962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17816362#comment-17816362
 ] 

Andriy Redko commented on CXF-8962:
---

[~amichai] Hm ... you could do it like that:
{noformat}
WebClient.getConfig(client).getRequestContext().put("set.content.type.for.empty.request",
 true); {noformat}
{color:#00}which is actually equivalent to 
client.getConfiguration().getRequestContext().put(...) {color}
 

> HttpClientHTTPConduit sets Content-Type Header for DELETE requests with empty 
> body
> --
>
> Key: CXF-8962
> URL: https://issues.apache.org/jira/browse/CXF-8962
> Project: CXF
>  Issue Type: Bug
>  Components: Transports
>Affects Versions: 4.0.3
>Reporter: Alonso Gonzalez
>Priority: Major
>
> We call a DELETE endoint of a REST API, but the server rejects the call with 
> a client error, because CXF sends "Content-Type: text/xml" although the 
> content is empty (as suggested by RFC 9110).
>  
> The implementation of {{setProtocolHeaders()}} in {{HttpClientHTTPConduit}} 
> calls {{setProtocolHeadersInBuilder()}} to set the HTTP headers. This methods 
> computes a "Content-Type" header if the verb is not in the list 
> KNOWN_HTTP_VERBS_WITH_NO_CONTENT. DELETE is not part of this list although 
> RFC 9110 states that DELETE requests should not have content [1]. Thus if a 
> client follows the RFC and sends a DELETE request with no content, CXF will 
> nonetheless set a Content-Type header. {{Headers#determineContentType}} uses 
> "text/xml" as fallback if no content type can be computed. 
> The old implementation {{URLConnectionHTTPConduit}} called a 
> {{Headers#setProtocolHeadersInConnection}} to set the headers. This method 
> allowed to omit the "Content-Type" header via the property 
> "set.content.type.for.empty.request".
>  
> The new implementation should handle DELETE requests with empty body 
> correctly or evaluate the existing property 
> "set.content.type.for.empty.request".
>  
> [1]
> {quote}Although request message framing is independent of the method used, 
> content received in a DELETE request has no generally defined semantics, 
> cannot alter the meaning or target of the request, and might lead some 
> implementations to reject the request and close the connection because of its 
> potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A 
> client SHOULD NOT generate content in a DELETE request unless it is made 
> directly to an origin server that has previously indicated, in or out of 
> band, that such a request has a purpose and will be adequately supported.
> {quote}
> [https://www.rfc-editor.org/rfc/rfc9110.html#name-delete]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (CXF-8962) HttpClientHTTPConduit sets Content-Type Header for DELETE requests with empty body

2024-02-10 Thread Amichai Rothman (Jira) 


[ 
https://issues.apache.org/jira/browse/CXF-8962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17816318#comment-17816318
 ] 

Amichai Rothman commented on CXF-8962:
--

This is embarassing but I can't figure out where to set that property on the 
WebClient... client.getConfiguration().getBus().setProperty() didn't work, 
client.
getConfiguration().getRequestContext().put() didn't work, where are these 
properties supposed to come from?

> HttpClientHTTPConduit sets Content-Type Header for DELETE requests with empty 
> body
> --
>
> Key: CXF-8962
> URL: https://issues.apache.org/jira/browse/CXF-8962
> Project: CXF
>  Issue Type: Bug
>  Components: Transports
>Affects Versions: 4.0.3
>Reporter: Alonso Gonzalez
>Priority: Major
>
> We call a DELETE endoint of a REST API, but the server rejects the call with 
> a client error, because CXF sends "Content-Type: text/xml" although the 
> content is empty (as suggested by RFC 9110).
>  
> The implementation of {{setProtocolHeaders()}} in {{HttpClientHTTPConduit}} 
> calls {{setProtocolHeadersInBuilder()}} to set the HTTP headers. This methods 
> computes a "Content-Type" header if the verb is not in the list 
> KNOWN_HTTP_VERBS_WITH_NO_CONTENT. DELETE is not part of this list although 
> RFC 9110 states that DELETE requests should not have content [1]. Thus if a 
> client follows the RFC and sends a DELETE request with no content, CXF will 
> nonetheless set a Content-Type header. {{Headers#determineContentType}} uses 
> "text/xml" as fallback if no content type can be computed. 
> The old implementation {{URLConnectionHTTPConduit}} called a 
> {{Headers#setProtocolHeadersInConnection}} to set the headers. This method 
> allowed to omit the "Content-Type" header via the property 
> "set.content.type.for.empty.request".
>  
> The new implementation should handle DELETE requests with empty body 
> correctly or evaluate the existing property 
> "set.content.type.for.empty.request".
>  
> [1]
> {quote}Although request message framing is independent of the method used, 
> content received in a DELETE request has no generally defined semantics, 
> cannot alter the meaning or target of the request, and might lead some 
> implementations to reject the request and close the connection because of its 
> potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A 
> client SHOULD NOT generate content in a DELETE request unless it is made 
> directly to an origin server that has previously indicated, in or out of 
> band, that such a request has a purpose and will be adequately supported.
> {quote}
> [https://www.rfc-editor.org/rfc/rfc9110.html#name-delete]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)