Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.6.2, 4.0.3
-
None
-
Unknown
Description
We call a DELETE endoint of a REST API, but the server rejects the call with a client error, because CXF sends "Content-Type: text/xml" although the content is empty (as suggested by RFC 9110).
The implementation of setProtocolHeaders() in HttpClientHTTPConduit calls setProtocolHeadersInBuilder() to set the HTTP headers. This methods computes a "Content-Type" header if the verb is not in the list KNOWN_HTTP_VERBS_WITH_NO_CONTENT. DELETE is not part of this list although RFC 9110 states that DELETE requests should not have content [1]. Thus if a client follows the RFC and sends a DELETE request with no content, CXF will nonetheless set a Content-Type header. Headers#determineContentType uses "text/xml" as fallback if no content type can be computed.
The old implementation URLConnectionHTTPConduit called a Headers#setProtocolHeadersInConnection to set the headers. This method allowed to omit the "Content-Type" header via the property "set.content.type.for.empty.request".
The new implementation should handle DELETE requests with empty body correctly or evaluate the existing property "set.content.type.for.empty.request".
[1]
Although request message framing is independent of the method used, content received in a DELETE request has no generally defined semantics, cannot alter the meaning or target of the request, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A client SHOULD NOT generate content in a DELETE request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.
Attachments
Issue Links
- links to