HTTP 411 POST validation not triggering when request method is not identically capitalized

Cyberboss commented 3 years ago

Describe the bug

Using the method POST triggers without Content-Length or Transfer-Encoding rejects with HTTP 411 when the method POSt does not

See the validation originally introduced in this commit.

https://github.com/dotnet/aspnetcore/commit/a1c598733b4d834a8a36359f52e447e99da2f142

Examples: Method: POST:

Cyberboss@CYBERSTATIONXVI MINGW64 ~
$ curl -H "Authorization:basic YWRtaW46SVNvbGVtbHlTd2VhclRvRGVsZXRlVGhlRGF0YURpcmVjdG9yeQ==" -H "Api: Tgstation.Server.Api/7.3.2" -v -X POST localhost:5000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::1:5000...
* Connected to localhost (::1) port 5000 (#0)
> POST / HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.70.0
> Accept: */*
> Authorization:basic YWRtaW46SVNvbGVtbHlTd2VhclRvRGVsZXRlVGhlRGF0YURpcmVjdG9yeQ==
> Api: Tgstation.Server.Api/7.3.2
>
  0     0    0     0    0     0      0      0 --:--:--  0:00:11 --:--:--     0* Mark bundle as not supporting multiuse
< HTTP/1.1 411 Length Required
< Connection: close
< Date: Mon, 12 Oct 2020 06:33:48 GMT
< Server: Kestrel
< Content-Length: 0
<
  0     0    0     0    0     0      0      0 --:--:--  0:00:11 --:--:--     0
* Closing connection 0

Method POSt:

Cyberboss@CYBERSTATIONXVI MINGW64 ~
$ curl -H "Authorization:basic YWRtaW46SVNvbGVtbHlTd2VhclRvRGVsZXRlVGhlRGF0YURpcmVjdG9yeQ==" -H "Api: Tgstation.Server.Api/7.3.2" -v -X POSt localhost:5000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::1:5000...
* Connected to localhost (::1) port 5000 (#0)
> POSt / HTTP/1.1
> Host: localhost:5000
> User-Agent: curl/7.70.0
> Accept: */*
> Authorization:basic YWRtaW46SVNvbGVtbHlTd2VhclRvRGVsZXRlVGhlRGF0YURpcmVjdG9yeQ==
> Api: Tgstation.Server.Api/7.3.2
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 12 Oct 2020 06:34:02 GMT
< Content-Type: application/json; charset=utf-8
< Server: Kestrel
< Transfer-Encoding: chunked
<
{ [293 bytes data]
100   286    0   286    0     0   1100      0 --:--:-- --:--:-- --:--:--  1100{"bearer":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIiwiZXhwIjoiMTYwMjQ4NTM0MiIsIm5iZiI6IjE2MDI0ODQ0NDIiLCJpc3MiOiJUZ3N0YXRpb24uU2VydmVyLkhvc3QiLCJhdWQiOiJUZ3N0YXRpb24uU2VydmVyLkFwaSJ9.dfsYqxMedbVUeo7PN0ibH-xMLx17qXUmbsMUTNRANVs","expiresAt":"2020-10-12T02:49:02.5216723-04:00"}
* Connection #0 to host localhost left intact

Cyberboss@CYBERSTATIONXVI MINGW64 ~
$

Second response is expected of the method running successfully. I would expect the validation performed here to be case in-sensitive. (i.e. both should reject with HTTP 411).

To Reproduce

No bandwidth to currently make a repro, please let me know if more info is required.

Project: https://github.com/tgstation/tgstation-server/tree/843c3f660e30fef8cc525c24bf2275ad668da3cf/src/Tgstation.Server.Host Dotnet Host Configuration: https://github.com/tgstation/tgstation-server/blob/843c3f660e30fef8cc525c24bf2275ad668da3cf/src/Tgstation.Server.Host/ServerFactory.cs#L62 MVC Configuration: https://github.com/tgstation/tgstation-server/blob/843c3f660e30fef8cc525c24bf2275ad668da3cf/src/Tgstation.Server.Host/Core/Application.cs#L180

Further technical details

ASP.NET Core version: 3.1.401

dotnet info:


Cyberboss@CYBERSTATIONXVI MINGW64 ~
$ dotnet --info
.NET Core SDK (reflecting any global.json):
Version:   3.1.401
Commit:    5b6f5e5005

Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\3.1.401\

Host (useful for support): Version: 3.1.7 Commit: fcfdef8d6b

.NET Core SDKs installed: 2.1.201 [C:\Program Files\dotnet\sdk] 2.1.202 [C:\Program Files\dotnet\sdk] 2.1.402 [C:\Program Files\dotnet\sdk] 2.1.502 [C:\Program Files\dotnet\sdk] 2.1.504 [C:\Program Files\dotnet\sdk] 2.1.607 [C:\Program Files\dotnet\sdk] 2.2.101 [C:\Program Files\dotnet\sdk] 3.1.100 [C:\Program Files\dotnet\sdk] 3.1.401 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed: Microsoft.AspNetCore.All 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.2.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.2.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 2.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.2.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.7 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download


- The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version: Visual Studio 16.7.1

Tratcher commented 3 years ago

https://tools.ietf.org/html/rfc7231#section-4.1

The method token is case-sensitive... By convention, standardized methods are defined in all-uppercase US-ASCII letters.

The server is currently within spec, but we might fix this anyways. The rest of the stack treats the method as case insensitive.

ghost commented 3 years ago

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

ladeak commented 3 years ago

The problem here is that the HttpMethod used to filter the Post and Put requests is parsed from uppercase values. So the place throwing this error actually sees HttpMethod.Custom for request with POSt method.

A way to fix this would requires extending the current condition with checking for Custom HttpMethod value and then doing a string-ordinal-ignore-case comparison with MethodText property, which I believe is quite a performance penalty on this path (although now it affects only Http1.0).

dotnet / aspnetcore