From 7d162c50db7c493589b7436f959b2fcb1e3aba67 Mon Sep 17 00:00:00 2001
From: James Agnew <jamesagnew@gmail.com>
Date: Thu, 5 Sep 2019 14:47:04 -0400
Subject: [PATCH] Don't guess content type for create/put

---
 .../rest/server/method/ResourceParameter.java   | 12 +++---------
 .../ca/uhn/fhir/rest/server/CreateR4Test.java   | 17 +++++++++++++++++
 .../server/OperationGenericServer2R4Test.java   |  2 +-
 src/changes/changes.xml                         |  7 +++++++
 4 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/method/ResourceParameter.java b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/method/ResourceParameter.java
index 73665fd9150..ec964a4cc0c 100644
--- a/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/method/ResourceParameter.java
+++ b/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/method/ResourceParameter.java
@@ -157,9 +157,6 @@ public class ResourceParameter implements IParameter {
 				}
 			}
 			if (isBlank(ctValue)) {
-				/*
-				 * If the client didn't send a content type, try to guess
-				 */
 				String body;
 				try {
 					body = IOUtils.toString(requestReader);
@@ -170,12 +167,9 @@ public class ResourceParameter implements IParameter {
 				if (isBlank(body)) {
 					return null;
 				}
-				encoding = EncodingEnum.detectEncodingNoDefault(body);
-				if (encoding == null) {
-					String msg = ctx.getLocalizer().getMessage(ResourceParameter.class, "noContentTypeInRequest", restOperationType);
-					throw new InvalidRequestException(msg);
-				}
-				requestReader = new InputStreamReader(new ByteArrayInputStream(theRequest.loadRequestContents()), charset);
+
+				String msg = ctx.getLocalizer().getMessage(ResourceParameter.class, "noContentTypeInRequest", restOperationType);
+				throw new InvalidRequestException(msg);
 			} else {
 				String msg = ctx.getLocalizer().getMessage(ResourceParameter.class, "invalidContentTypeInRequest", ctValue, restOperationType);
 				throw new InvalidRequestException(msg);
diff --git a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/CreateR4Test.java b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/CreateR4Test.java
index d949ac99dee..a2fcf4c1259 100644
--- a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/CreateR4Test.java
+++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/CreateR4Test.java
@@ -77,6 +77,23 @@ public class CreateR4Test {
 
 	}
 
+	@Test
+	public void testCreateFailsIfNoContentTypeProvided() throws Exception {
+
+		HttpPost httpPost = new HttpPost("http://localhost:" + ourPort + "/Patient");
+		httpPost.setEntity(new StringEntity("{\"resourceType\":\"Patient\", \"id\":\"999\", \"status\":\"active\"}", (ContentType) null));
+		try (CloseableHttpResponse status = ourClient.execute(httpPost)) {
+
+			String responseContent = IOUtils.toString(status.getEntity().getContent(), StandardCharsets.UTF_8);
+
+			ourLog.info("Response was:\n{}", responseContent);
+
+			assertEquals(400, status.getStatusLine().getStatusCode());
+			assertThat(responseContent, containsString("No Content-Type header was provided in the request. This is required for \\\"CREATE\\\" operation"));
+
+		}
+	}
+
 	/**
 	 * #472
 	 */
diff --git a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/OperationGenericServer2R4Test.java b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/OperationGenericServer2R4Test.java
index 79a25080d06..d618fe85a45 100644
--- a/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/OperationGenericServer2R4Test.java
+++ b/hapi-fhir-structures-r4/src/test/java/ca/uhn/fhir/rest/server/OperationGenericServer2R4Test.java
@@ -232,9 +232,9 @@ public class OperationGenericServer2R4Test {
 
 		HttpGet httpPost = new HttpGet("http://localhost:" + myPort + "/Patient/123/$OP_INSTANCE");
 		try (CloseableHttpResponse status = ourClient.execute(httpPost)) {
-			assertEquals(200, status.getStatusLine().getStatusCode());
 			String response = IOUtils.toString(status.getEntity().getContent(), StandardCharsets.UTF_8);
 			ourLog.info(response);
+			assertEquals(200, status.getStatusLine().getStatusCode());
 			status.getEntity().getContent().close();
 
 			assertEquals("123", ourLastId.getIdPart());
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 507f004fe5c..e2785d9b8e6 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -106,6 +106,13 @@
 				A note has been added to the downloads page explaning the removal of the hapi-fhir-utilities
 				module. Thanks to Andrew Fitzgerald for the PR!
 			</action>
+			<action type="change">
+				REST servers will no longer try to guess the content type for HTTP requests where a body 
+				is provided but no Content-Type header is included. These requests are invalid, and will now
+				result in an HTTP 400. This change corrects an error where some interceptors (notably
+				the RequestValidatingInterceptor, but not including any HAPI FHIR security interceptors) 
+				could be bypassed if a Content Type was not included.
+			</action>
 		</release>
 		<release version="4.0.0" date="2019-08-14" description="Igloo">
 			<action type="add">