Don't guess content type for create/put

This commit is contained in:
James Agnew 2019-09-05 14:47:04 -04:00
parent 8c6fd9f2d9
commit 7d162c50db
4 changed files with 28 additions and 10 deletions

View File

@ -157,9 +157,6 @@ public class ResourceParameter implements IParameter {
}
}
if (isBlank(ctValue)) {
/*
* If the client didn't send a content type, try to guess
*/
String body;
try {
body = IOUtils.toString(requestReader);
@ -170,12 +167,9 @@ public class ResourceParameter implements IParameter {
if (isBlank(body)) {
return null;
}
encoding = EncodingEnum.detectEncodingNoDefault(body);
if (encoding == null) {
String msg = ctx.getLocalizer().getMessage(ResourceParameter.class, "noContentTypeInRequest", restOperationType);
throw new InvalidRequestException(msg);
}
requestReader = new InputStreamReader(new ByteArrayInputStream(theRequest.loadRequestContents()), charset);
String msg = ctx.getLocalizer().getMessage(ResourceParameter.class, "noContentTypeInRequest", restOperationType);
throw new InvalidRequestException(msg);
} else {
String msg = ctx.getLocalizer().getMessage(ResourceParameter.class, "invalidContentTypeInRequest", ctValue, restOperationType);
throw new InvalidRequestException(msg);

View File

@ -77,6 +77,23 @@ public class CreateR4Test {
}
@Test
public void testCreateFailsIfNoContentTypeProvided() throws Exception {
HttpPost httpPost = new HttpPost("http://localhost:" + ourPort + "/Patient");
httpPost.setEntity(new StringEntity("{\"resourceType\":\"Patient\", \"id\":\"999\", \"status\":\"active\"}", (ContentType) null));
try (CloseableHttpResponse status = ourClient.execute(httpPost)) {
String responseContent = IOUtils.toString(status.getEntity().getContent(), StandardCharsets.UTF_8);
ourLog.info("Response was:\n{}", responseContent);
assertEquals(400, status.getStatusLine().getStatusCode());
assertThat(responseContent, containsString("No Content-Type header was provided in the request. This is required for \\\"CREATE\\\" operation"));
}
}
/**
* #472
*/

View File

@ -232,9 +232,9 @@ public class OperationGenericServer2R4Test {
HttpGet httpPost = new HttpGet("http://localhost:" + myPort + "/Patient/123/$OP_INSTANCE");
try (CloseableHttpResponse status = ourClient.execute(httpPost)) {
assertEquals(200, status.getStatusLine().getStatusCode());
String response = IOUtils.toString(status.getEntity().getContent(), StandardCharsets.UTF_8);
ourLog.info(response);
assertEquals(200, status.getStatusLine().getStatusCode());
status.getEntity().getContent().close();
assertEquals("123", ourLastId.getIdPart());

View File

@ -106,6 +106,13 @@
A note has been added to the downloads page explaning the removal of the hapi-fhir-utilities
module. Thanks to Andrew Fitzgerald for the PR!
</action>
<action type="change">
REST servers will no longer try to guess the content type for HTTP requests where a body
is provided but no Content-Type header is included. These requests are invalid, and will now
result in an HTTP 400. This change corrects an error where some interceptors (notably
the RequestValidatingInterceptor, but not including any HAPI FHIR security interceptors)
could be bypassed if a Content Type was not included.
</action>
</release>
<release version="4.0.0" date="2019-08-14" description="Igloo">
<action type="add">