Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove Content-Type Header when request with empty body POST method #2555

Conversation

jay-choe
Copy link
Contributor

@jay-choe jay-choe commented Sep 18, 2024

Hi.

I have looked this issue and got an idea to deal with.

In current code, convert null body to not null and it write to outputstream.

In that process, when writing empty string in outputstream, unwanted Content-Type Header is added which is ''application/x-www-form-urlencoded".

So, I rearrange null body code to avoid unwanted header.

With this, Content-Length header is not set, so I added. But, this header is restricted header so 'sun.net.http.allowRestrictedHeaders' system property should be true to add content-length header.

And this property should be set before client class loaded. I guess there is no suitable way to inject restricted header to connection.

Feel Free to comment this idea. thanks.

@jay-choe jay-choe force-pushed the remove-content-type-header-with-empty-post-body branch 2 times, most recently from 30079f9 to 21ed9eb Compare September 18, 2024 15:35
@kdavisk6
Copy link
Member

kdavisk6 commented Oct 4, 2024

This look good. Could you please add some information to the README to indicate how to take advantage of this change, helping folks understand the System Property requirement?

@kdavisk6 kdavisk6 added ready to merge Will be merged if no other member ask for changes feedback provided Feedback has been provided to the author labels Oct 4, 2024
@jay-choe jay-choe force-pushed the remove-content-type-header-with-empty-post-body branch 4 times, most recently from 5757b3d to 49d5f4d Compare October 6, 2024 08:22
@jay-choe
Copy link
Contributor Author

jay-choe commented Oct 6, 2024

@kdavisk6 sure, I added it.

@velo velo force-pushed the master branch 3 times, most recently from 8b27da5 to 0f759bf Compare October 8, 2024 10:18
…Default Client).

- add Content-Length Header with 0 value when `sun.net.http.allowRestrictedHeaders` System Property is set true

- fix not running test to run

- add README for setting zero content-length header
@velo velo force-pushed the remove-content-type-header-with-empty-post-body branch from 5be2434 to e2fbea1 Compare October 8, 2024 12:20
@velo
Copy link
Member

velo commented Oct 8, 2024

@jay-choe @kdavisk6 FWIW, I have rebased this PR after the formatting changes I did on master

@velo velo merged commit 7e7940e into OpenFeign:master Oct 8, 2024
5 checks passed
@zoomout
Copy link

zoomout commented Dec 18, 2024

@velo
Please revert this change. Setting "sun.net.http.allowRestrictedHeaders" is breaking security.
restrictedHeaders include e.g. Host, enabling CSRF attack.

private static final String[] restrictedHeaders = {
    /* Restricted by XMLHttpRequest2 */
    //"Accept-Charset",
    //"Accept-Encoding",
    "Access-Control-Request-Headers",
    "Access-Control-Request-Method",
    "Connection", /* close is allowed */
    "Content-Length",
    //"Cookie",
    //"Cookie2",
    "Content-Transfer-Encoding",
    //"Date",
    //"Expect",
    "Host",
    "Keep-Alive",
    "Origin",
    // "Referer",
    // "TE",
    "Trailer",
    "Transfer-Encoding",
    "Upgrade",
    //"User-Agent",
    "Via"
};

@velo
Copy link
Member

velo commented Dec 18, 2024

Hello, good morning, how are you today?

Raise a PR with test case.

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feedback provided Feedback has been provided to the author ready to merge Will be merged if no other member ask for changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants