HttpHeaders should accept empty Content-Type header [SPR-12173]

[spring-projects-issues]

Oliver Otzen opened SPR-12173 and commented

If a client is sending a POST message with an empty header 'Content-Type' the request fails with a IllegalArgumentException.
In HttpHeaders Line 305 only null values will be checked, but not empty values.
In the RFC 7231 it is not explicitly forbidden to send an empty 'Content-Type'-header field.
http://tools.ietf.org/html/rfc7231#section-3.1.1.5

Caused by: java.lang.IllegalArgumentException: 'mediaType' must not be empty
	at org.springframework.util.Assert.hasLength(Assert.java:136)
	at org.springframework.http.MediaType.parseMediaType(MediaType.java:688)
	at org.springframework.http.HttpHeaders.getContentType(HttpHeaders.java:305)
	at org.springframework.http.server.ServletServerHttpRequest.getHeaders(ServletServerHttpRequest.java:106)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter$ServletHandlerMethodInvoker.writeWithMessageConverters(AnnotationMethodHandlerAdapter.java:1026)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter$ServletHandlerMethodInvoker.handleHttpEntityResponse(AnnotationMethodHandlerAdapter.java:1014)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter$ServletHandlerMethodInvoker.getModelAndView(AnnotationMethodHandlerAdapter.java:940)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:441)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936)

Example POST from chrome browser:

POST /fileUpload HTTP/1.1
Host: www.example.org
Connection: keep-alive
Content-Length: 393
Origin: http://www.example.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
filename: YXBpLWRvY3M=
Content-Type:
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4

---

Affects: 3.2.4

Issue Links:

• Spring HTTP clients do not enforce RFC 6265 (cookies in a single header) [SPR-12196] #16810 Spring HTTP clients do not enforce RFC 6265 (cookies in a single header)
• Spring Web should process requests with empty/invalid mime type [SPR-14309] #18881 Spring Web should process requests with empty/invalid mime type

Referenced from: commits d501137, a1c0905, 4ab27d8, 44c52a9, 70412a9, afb0342

Backported to: 4.0.8, 3.2.12

3 votes, 4 watchers

[spring-projects-issues]

Juergen Hoeller commented

This is available in the latest 4.1.1 and 4.0.8 snapshots now. It would be great if you could it a try... We intend to backport this to 3.2.12 as well but we'd like to verify the fix first.

Juergen

[spring-projects-issues]

Oliver Otzen commented

Hello Juergen,

Thanks for working in this issuse.

I have tested it with Spring version 4.1.1.RELEASE and 4.1.2.BUILD-SNAPSHOT without success.
I get the following stacktrace:

org.springframework.http.InvalidMediaTypeException: Invalid mime type "": 'mimeType' must not be empty
	org.springframework.http.MediaType.parseMediaType(MediaType.java:370)
	org.springframework.http.server.ServletServerHttpRequest.getHeaders(ServletServerHttpRequest.java:115)
	org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter$ServletHandlerMethodInvoker.writeWithMessageConverters
...

My tiny test project is pushed on github: https://github.com/ollio/spring-content-type-test.
I have used REST Console to force a POST with empty Content-Type header field.

Thanks Oliver

[spring-projects-issues]

Juergen Hoeller commented

Indeed, there turns out to be another check for the Content-Type header where we're falling into a similar trap. Fixed now, to be available in the upcoming 4.1.2 snapshot and in 4.0.8 and 3.2.12 snapshots later this week.

Juergen

[spring-projects-issues]

Oliver Otzen commented

Now it works fine, I get an empty Content-Type when I use the @RequestHeader attribute in my controller.

Thanks Oliver

[spring-projects-issues]

Juergen Hoeller commented

FYI, this is available in the latest 4.0.8 and 3.2.12 snapshots as well now. Both are scheduled for release on October 30th, along with 4.1.2.

Juergen