Skip to content

rpc: check content-type for HTTP requests#15220

Merged
fjl merged 1 commit into
ethereum:masterfrom
bas-vk:jsonheader
Nov 9, 2017
Merged

rpc: check content-type for HTTP requests#15220
fjl merged 1 commit into
ethereum:masterfrom
bas-vk:jsonheader

Conversation

@bas-vk
Copy link
Copy Markdown
Member

@bas-vk bas-vk commented Sep 29, 2017

Ensure that HTTP RPC requests contain the content-type header with application/json.

@bas-vk bas-vk requested a review from holiman September 29, 2017 10:00
holiman
holiman approved these changes Sep 29, 2017
View reviewed changes
Copy link
Copy Markdown
Contributor

@holiman holiman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; but maybe we should wait until after byzantium before merging any potentially breaking changes to the API, so people can use an older version if this breaks their setups.

dherbst
dherbst reviewed Sep 29, 2017
View reviewed changes
Comment thread rpc/http.go Outdated
Copy link
Copy Markdown
Contributor

@dherbst dherbst Sep 29, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may want to consider not reflecting untrusted user submitted data here and change the message to "invalid content type, only application/json is supported".

Copy link
Copy Markdown
Member Author

@bas-vk bas-vk Sep 29, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I don't immediately see how an adversary can abuse this but there might be ways.

@karalabe karalabe added this to the post-byzantium milestone Oct 2, 2017
@fjl fjl merged commit 4fe30bf into ethereum:master Nov 9, 2017
@karalabe karalabe modified the milestones: post-byzantium, 1.7.3 Nov 9, 2017
@5chdn 5chdn mentioned this pull request Nov 9, 2017
Merged
This was referenced Nov 15, 2017
Closed
Merged
@AristideFangbe AristideFangbe mentioned this pull request Nov 29, 2017
Closed
@epheph epheph mentioned this pull request Dec 22, 2017
Closed
dylanjw added a commit to dylanjw/homestead-guide that referenced this pull request Jan 16, 2018
@dylanjw
Add mime type to curl request headers
1859f66 
geth checks for mime header:
ethereum/go-ethereum#15220
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@dherbst dherbst dherbst left review comments

@holiman holiman holiman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.7.3

Development

Successfully merging this pull request may close these issues.

5 participants

@bas-vk @dherbst @holiman @fjl @karalabe