Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect content-type parsing in actions #7187

Closed
SylvainGarrigues opened this issue Oct 8, 2022 · 6 comments · Fixed by #7195
Closed

Incorrect content-type parsing in actions #7187

SylvainGarrigues opened this issue Oct 8, 2022 · 6 comments · Fixed by #7195
Labels
bug Something isn't working forms Stuff relating to forms and form actions
Milestone
1.0

Comments

@SylvainGarrigues
Copy link

SylvainGarrigues commented Oct 8, 2022
edited by benmccann
Loading

Describe the bug

When using a simple fetch to an endpoint like so:

fetch('/login', {method: "POST", body: new URLSearchParams('key', 'value')})

This is sent by Chrome and Safari as a POST request with the following content-type header:

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

But https://github.com/sveltejs/kit/blob/master/packages/kit/src/runtime/server/page/actions.js checks the content-type value by splitting on ; (note the space).

Therefore I cannot use the above fetch call because the endpoint returns:

Actions expect form-encoded data (received application/x-www-form-urlencoded;charset=UTF-8)

I think this is a bug and that you should instead split on ; (without space).

Reproduction

Use a simple fetch to an endpoint (/login/+page.server.js) like so:

fetch('/login', {method: "POST", body: new URLSearchParams('key', 'value')})

Logs

No response

System Info

any system

Severity

serious, but I can work around it

Additional Information

No response
@SylvainGarrigues
Copy link
Author

https://www.rfc-editor.org/rfc/rfc7231#section-3.1.1.1 says the preferred type specification is:
text/html;charset=utf-8

i.e. with no space

@dummdidumm dummdidumm added bug Something isn't working forms Stuff relating to forms and form actions labels Oct 8, 2022
@dummdidumm dummdidumm added this to the 1.0 milestone Oct 8, 2022
@elliott-with-the-longest-name-on-github
Copy link
Contributor

I'll fix this. The easy solution would be to split on ; and trim the results. Any objections?

@repsac-by
Copy link
Contributor

Any objections?

It would be nice to add tests

@Conduitry
Copy link
Member

Whatever we do here, we should probably also do for the content type check that's part of the CSRF protection, if appropriate.

@repsac-by repsac-by mentioned this issue Oct 9, 2022
Merged
5 tasks
@eikaramba
Copy link

is this also related to #7112 ? i guess not right?

dummdidumm pushed a commit that referenced this issue Oct 10, 2022
@repsac-by
[fix] parsing content-type header for actions (#7195)
3bd5245 
Fixes #7187
@SylvainGarrigues
Copy link
Author

Thanks for such a quick fix, great job.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working forms Stuff relating to forms and form actions
Projects
None yet
Milestone
1.0
Development

Successfully merging a pull request may close this issue.

[fix] parsing content-type header for actions repsac-by/kit
6 participants
@SylvainGarrigues @eikaramba @repsac-by @dummdidumm @Conduitry @elliott-with-the-longest-name-on-github