Improper handling of empty POST requests.

[jankyjames]

When POSTing to a route without a Content-Type but the route is configured to consume some Content-Type, If there is also no body in that request, the Content-Type validation finishes without error, but candidates remains 0 resulting in the Accept handling to process.

I think normally this would be fine since it seems like there is an additional check for empty POST requests here to return a valid 415, but some clients like Postman automatically sets the header Content-Length to "0" resulting in this check getting skipped and defaulting to 406 when that isn't the issue.

I suggest either updating the check at line 158 from method == http.MethodPatch) && length == "" { to

method == http.MethodPatch) && (length == "" || length == "0") {

or

method == http.MethodPatch) && httpRequest.ContentLength == 0 {

The method in question is here

[jankyjames]

If you think this fixes the issue I'd be happy to submit a PR to fix this :) Just let me know!

[emicklei]

Thank you for reporting this. I will have a closer look to the flow.

On Wed, 19 Jul 2023 at 23:39, James Childs ***@***.***> wrote: If you think this fixes the issue I'd be happy to submit a PR to fix this :) Just let me know! — Reply to this email directly, view it on GitHub <#532 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFHRDE7M5QLS3NXEUS4V6LXRBHYXANCNFSM6AAAAAA2QQM2AU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Met vriendelijke groet, Kind regards, Ernest Micklei Try out my music project Melrōse <https://melrōse.org>

[emicklei]

If you think this fixes the issue I'd be happy to submit a PR to fix this :) Just let me know!

@JamesDChilds can you propose a PR? thx!

[mayooot]

If you think this fixes the issue I'd be happy to submit a PR to fix this :) Just let me know!

@JamesDChilds can you propose a PR? thx!

@JamesDChilds Hi, I don't want to take the glory away from you, but this still hasn't been resolved in the latest version of the code, and this issue doesn't seem to have been followed up on in a long time, so I opened a pr.

[emicklei]

fixed in v3.12.0

[liggitt]

I commented on the PR that changed this, but I think it is incorrect to disallow explicitly zero-length bodies for PUT/POST/PATCH requests

[liggitt]

From https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6:

A user agent SHOULD send Content-Length in a request when the method defines a meaning for enclosed content and it is not sending Transfer-Encoding. For example, a user agent normally sends Content-Length in a POST request even when the value is 0 (indicating empty content)
...
Any Content-Length field value greater than or equal to zero is valid.