The mechanism to detect an empty request body during the MVC Model Binding now uses the IHttpRequestBodyDetectionFeature.CanHaveBody, that is currently implemented by the following behavior:
true when:
It's an HTTP/1.x request with a non-zero Content-Length or a Transfer-Encoding: chunked header.
It's an HTTP/2 request that did not set the END_STREAM flag on the initial headers frame.
false when:
It's an HTTP/1.x request with no Content-Length or Transfer-Encoding: chunked header, or the Content-Length is 0.
It's an HTTP/1.x request with Connection: Upgrade (e.g. WebSockets). There is no HTTP request body for these requests and no data should be received until after the upgrade.
It's an HTTP/2 request that set END_STREAM on the initial headers frame.
Since the previous behavior was a simple validation of the Content-Length == 0, in some scenarios when requests are not sending all needed HTTP information, could now be detected as empty request and report a failure to the client.
Version
7.0.0-preview3
Previous behavior
Before if you have a Controller's action that bind a parameter from body:
[HttpPost()]
public IActionResult Required([FromBody] TestClass value) => Ok(value);
And the client request does not include a Content-Length header, eg.:
curl --request POST -k -i "[action]" -H "Content-Type: application/json"
This request will cause an internal exception during the body deserialization:
Eg.: When using the System.Text.Json input formatter
System.Text.Json.JsonException: 'The input does not contain any JSON tokens.
Expected the input to start with a valid JSON token, when isFinalBlock is true.
Path: $ | LineNumber: 0 | BytePositionInLine: 0.'
Also, a response payload similar to this will be receive by the client:
{
"type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
"title": "One or more validation errors occurred.",
"status": 400,
"traceId": "00-34e98b5841b88bfb5476965efd9d9c8c-5bb16bc50dfbabb7-00",
"errors": {
"$": [
+ "The input does not contain any JSON tokens. Expected the input to start with a valid JSON token, when isFinalBlock is true. Path: $ | LineNumber: 0 | BytePositionInLine: 0."
],
"value": [
"The value field is required."
]
}
}
New behavior
With the updated detection mechanism, the deserialization will not be trigger since an empty request body will be detected and only a validation message will be reported back to the client. Eg.:
{
"type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
"title": "One or more validation errors occurred.",
"status": 400,
"traceId": "00-0f87920dc675fdfdf8d7638d3be66577-bd6bdbf32d21b714-00",
"errors": {
"": [
+ "A non-empty request body is required."
],
"value": [
"The value field is required."
]
}
}
Type of breaking change
[X] Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
[ ] Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
Reason for change
This change is an alignment with other parts of the framework that were already using the IHttpRequestBodyDetectionFeature.CanHaveBody and also a fix to a reported issue dotnet/aspnetcore/issues/29570
Recommended action
No change is required, however, if you getting an unexpected behavior is recommended to review if your client's requests are sending the appropriated headers/information.
Description
The mechanism to detect an empty request
bodyduring the MVC Model Binding now uses theIHttpRequestBodyDetectionFeature.CanHaveBody, that is currently implemented by the following behavior:truewhen:HTTP/1.xrequest with a non-zeroContent-Lengthor aTransfer-Encoding: chunkedheader.HTTP/2request that did not set theEND_STREAMflag on the initial headers frame.falsewhen:HTTP/1.xrequest with noContent-LengthorTransfer-Encoding: chunkedheader, or theContent-Lengthis0.HTTP/1.xrequest withConnection: Upgrade(e.g. WebSockets). There is no HTTP request body for these requests and no data should be received until after the upgrade.HTTP/2request that setEND_STREAMon the initial headers frame.Since the previous behavior was a simple validation of the
Content-Length == 0, in some scenarios when requests are not sending all needed HTTP information, could now be detected as empty request and report a failure to the client.Version
7.0.0-preview3
Previous behavior
Before if you have a Controller's action that bind a parameter from body:
And the client request does not include a
Content-Lengthheader, eg.:This request will cause an internal exception during the body deserialization:
Eg.: When using the
System.Text.Jsoninput formatterAlso, a response payload similar to this will be receive by the client:
New behavior
With the updated detection mechanism, the deserialization will not be trigger since an empty request body will be detected and only a
validationmessage will be reported back to the client. Eg.:Type of breaking change
Reason for change
This change is an alignment with other parts of the framework that were already using the
IHttpRequestBodyDetectionFeature.CanHaveBodyand also a fix to a reported issue dotnet/aspnetcore/issues/29570Recommended action
No change is required, however, if you getting an unexpected behavior is recommended to review if your client's requests are sending the appropriated headers/information.
Affected APIs
MVC Action Controllers