Do not attempt to decode wildcard content-types as form-data

Prior to this commit, the `DefaultServerWebExchange` would attempt to
decode request bodies as form-data or multipart of the request
content-type was compatible with the expected media types.

If requests are sent with an invalid wildcard content-type such as "*/*"
or "multipart/*", we should not attempt to decode here.

Fixes gh-34660

Author: bclozel

spring-web/src/main/java/org/springframework/web/server/adapter/DefaultServerWebExchange.java

@@ -149,11 +149,11 @@ private static Mono<MultiValueMap<String, String>> initFormData(ServerHttpReques
 			ServerCodecConfigurer configurer, String logPrefix) {
 
 		MediaType contentType = getContentType(request);
-		if (contentType == null || !contentType.isCompatibleWith(MediaType.APPLICATION_FORM_URLENCODED)) {
+		if (contentType == null || !contentType.isConcrete() || !contentType.isCompatibleWith(MediaType.APPLICATION_FORM_URLENCODED)) {
 			return EMPTY_FORM_DATA;
 		}
 
-		HttpMessageReader<MultiValueMap<String, String>> reader = getReader(configurer, MediaType.APPLICATION_FORM_URLENCODED, FORM_DATA_TYPE);
+		HttpMessageReader<MultiValueMap<String, String>> reader = getReader(configurer, contentType, FORM_DATA_TYPE);
 		if (reader == null) {
 			return Mono.error(new IllegalStateException("No HttpMessageReader for " + contentType));
 		}
@@ -167,7 +167,7 @@ private static Mono<MultiValueMap<String, String>> initFormData(ServerHttpReques
 	private Mono<MultiValueMap<String, Part>> initMultipartData(ServerCodecConfigurer configurer, String logPrefix) {
 
 		MediaType contentType = getContentType(this.request);
-		if (contentType == null || !contentType.getType().equalsIgnoreCase("multipart")) {
+		if (contentType == null || !contentType.isConcrete() || !contentType.getType().equalsIgnoreCase("multipart")) {
 			return EMPTY_MULTIPART_DATA;
 		}
 

spring-web/src/test/java/org/springframework/web/server/adapter/DefaultServerWebExchangeTests.java

@@ -21,6 +21,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.http.codec.ServerCodecConfigurer;
+import org.springframework.http.codec.multipart.Part;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.i18n.AcceptHeaderLocaleContextResolver;
@@ -60,14 +61,25 @@ void transformUrlWithMultipleEncoders() {
 	}
 
 	@Test // gh-34660
-	void useFormDataMessageReaderWhenAllContentType() {
+	void shouldNotDecodeFormDataWhenContentTypeNotConcrete() {
 		MockServerHttpRequest request = MockServerHttpRequest
 				.post("https://example.com")
 				.header(HttpHeaders.CONTENT_TYPE, MediaType.ALL_VALUE)
 				.body("project=spring");
 		ServerWebExchange exchange = createExchange(request);
 		MultiValueMap<String, String> body = exchange.getFormData().block();
-		assertThat(body.get("project")).contains("spring");
+		assertThat(body).isEmpty();
+	}
+
+	@Test // gh-34660
+	void shouldNotDecodeMultipartWhenContentTypeNotConcrete() {
+		MockServerHttpRequest request = MockServerHttpRequest
+				.post("https://example.com")
+				.header(HttpHeaders.CONTENT_TYPE, "multipart/*")
+				.body("project=spring");
+		ServerWebExchange exchange = createExchange(request);
+		MultiValueMap<String, Part> body = exchange.getMultipartData().block();
+		assertThat(body).isEmpty();
 	}