ninenines / cowboy

Small, fast, modern HTTP server for Erlang/OTP.

https://ninenines.eu

ISC License

7.29k stars 1.17k forks source link

cowboy_rest dislikes invalid content-type #485

Closed dvv closed 11 years ago

dvv commented 11 years ago

https://github.com/extend/cowboy/blob/master/src/cowboy_rest.erl#L836-L837

Unparsable content-type headers drops the flow. IMHO here one expects some kind of soft error.

dvv commented 11 years ago

May be

            case cowboy_req:parse_header(<<"content-type">>, Req2) of
                {ok, ContentType, Req3} ->
                    choose_content_type(Req3, State2, OnTrue, ContentType, CTA2);
                _ ->
                    respond(Req2, State2, 415)
            end

tarekz commented 11 years ago

I am not sure if this is relevant, but I had some trouble with headers becuase I used lower case. Seems like the new cowboy code is case sensitive. <<"Content-Type">>.

dvv commented 11 years ago

the issue because of two content type headers are glued together by intermediary or malicious user in one comma separated header which is semanticaly invalid here but valid syntactically

dvv commented 11 years ago

a fix proposed at https://github.com/dvv/cowboy/commit/18ac8835dbb571a4c2da98ea9f9c3ced524195b3

essen commented 11 years ago

Please put the State2 line back, also pass it in respond/3 and open a PR.

dvv commented 11 years ago

494

essen commented 11 years ago

Closing, thanks!