Univention Bugzilla – Bug 50117
[UDM HTTP API] HTTP 400 when Content-Type in header of GET request
Last modified: 2019-09-22 15:51:13 CEST
Raising a HTTP 400 status with message "safe HTTP method should not contain request body/content-type", when receiving an unnecessary header, breaks a lot of clients - and is unnecessary. Requests with methods HEAD, GET and OPTIONS should not contain a body - OK. But sending a content-type for a non-existing body is not really an error, and should thus be ignored.
Created attachment 10173 [details] Patch makes API ignore unnecessary 'Content-Type' header.
I don't really understand the use case? This is fully conform HTTP behavior: https://tools.ietf.org/html/rfc7231#section-4.3.1: > A payload within a GET request message has no defined semantics; > sending a payload body on a GET request might cause some existing > implementations to reject the request. You are sending a body (or even not) and a Content-Type header which describes this body. But GET doesn't allow any body on our resources and rejects this. Do you have trouble sending a GET request without a Content-Type header in your client? Does any automized client send the header?
(In reply to Florian Best from comment #2) > I don't really understand the use case? > This is fully conform HTTP behavior: > https://tools.ietf.org/html/rfc7231#section-4.3.1: > > A payload within a GET request message has no defined semantics; > > sending a payload body on a GET request might cause some existing > > implementations to reject the request. > > You are sending a body (or even not) and a Content-Type header which > describes this body. > But GET doesn't allow any body on our resources and rejects this. > > Do you have trouble sending a GET request without a Content-Type header in > your client? Does any automized client send the header? Yes - the client sends the superfluous header. It does not send a body. So there is no problem and no RFC breach - just a unnecessary header which can be ignored.
Same happens for DELETE (superfluous 'Content-Type' and no body): body = None headers = {'Authorization': 'Basic QWRtaW5pc3RyYXRvcjp1bml2ZW50aW9u', 'Content-Type': 'application/json', 'User-Agent': 'OpenAPI-Generator/1.0.0/python'} query_params = [] url = 'https://m66.uni.dtr/univention/udm/users/user/uid%3Dkathryn.roman%2Ccn%3Dusers%2Cdc%3Duni%2Cdc%3Ddtr' <h1>HTTP-Error 400: </h1> <p style="white-space: pre">HTTP 400: Bad Request (Invalid JSON document: ValueError('No JSON object could be decoded',))</p>
Okay, Content-Type header is ignored but instead it's checked for the request body to be empty: univention-directory-manager-rest (9.0.15-3) 2659f809bc43 | Bug #50117: allow Content-Type header on GET requests, but disallow body This is a workaround for a broken OpenAPI client: https://github.com/OpenAPITools/openapi-generator/blob/5b9283beca0f0a8a185d3be5b53ccc7442341dc2/modules/openapi-generator/src/main/resources/python/asyncio/rest.mustache#L116
Please also add 'DELETE' to the list of methods checked in decode_request_arguments().
(In reply to Daniel Tröder from comment #6) > Please also add 'DELETE' to the list of methods checked in > decode_request_arguments(). DELETE has been added.
OK: When using a safe HTTP method ('HEAD', 'GET', 'OPTIONS', 'DELETE') the Content-Type header is ignored if the body is empty. OK: code OK: manual test
<http://errata.software-univention.de/ucs/4.4/282.html>