Page MenuHomePhabricator

Action API: Detect POST without Content-Type
Closed, ResolvedPublic


According to RFC 7231 §, a POST request that does not include a Content-Type header may be interpreted by the server in one of two ways:

  1. It may assume application/octet-stream. In this case, PHP and the Action API will not see the request as having any parameters, and so will probably serve the auto-generated help page.
  2. It may "sniff" the content type. It's likely enough to correctly guess application/x-www-form-urlencoded in this case, and therefore PHP and the Action API will see the request as having the intended parameters.

It turns out that HHVM and PHP 7 (at least as used at Wikimedia) differ in their behaviors: PHP 7 seems to choose option 1, while HHVM chooses option 2. This can cause unexpected behavior in clients that were written for the HHVM behavior.

We're not going to try to reimplement the HHVM behavior under PHP 7, but it could be useful to raise an explicit warning or error on a POST without a Content-Type header. A question is whether to do it as a warning or an error:

  • The warning is friendlier for the current stage of the PHP 7 migration where it often does work, but is less visible to clients and has the chance of being so common as to overload logstash.
  • The error will immediately break such clients rather than giving them some time to update their code.

I'm inclined to go with the warning to start with, with a patch prepared to turn off the logging to logstash in case the volume is more than anticipated.

Event Timeline

Anomie created this task.Aug 19 2019, 4:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 19 2019, 4:09 PM

Change 530904 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] API: Warn about POST without Content-Type

Change 530905 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] API: Don't log 'post-without-content-type' deprecations

Anomie claimed this task.Aug 20 2019, 5:41 PM

Change 530904 merged by jenkins-bot:
[mediawiki/core@master] API: Warn about POST without Content-Type

Anomie closed this task as Resolved.Aug 26 2019, 7:39 PM

Change 530905 abandoned by Anomie:
API: Don't log 'post-without-content-type' deprecations

It has been in production for a while and there have been no complaints, so I think this won't be needed.

DannyS712 added a subscriber: DannyS712.

[batch] remove patch for review tag from resolved tasks

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM