New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Empty multipart form data raises ActionController::BadRequest error since Rails 7.0.5 #51292
Comments
I was trying to build a minimal repro script, but this is a Rack error not Rails. This behavior is intended. This ticket example does pass the ending boundary. Here's a curl version triggering the error:
I feel like this is a different case. It's not passing any fields, but it is passing a body, with the final boundary. I would expect a parser to parse this without crashing. I was trying to look what the spec says about this, but haven't found a quick answer. I'll look into it this week. |
I am not yet 100% sure what the
If I read that correctly I doubt a PR to change Rack's behavior would be accepted. I think the fix here is to open an issue or a PR on Axios' repo to stop sending empty multi part as they are not valid in the spec. |
Thank you for your investigation. I opened an issue on Axios: |
I was able to confirm that the spec does require at least one part. Turns out, the browser implementations of fetch do send this invalid request. It is not an axios issue. The spec does warn against being too rigid in parsing. It is not this specific section, but it makes me think that this is worth the discussion. await (await fetch('https://httpbin.org/post', {method: 'post', body: new FormData()})).json() But realistically the fix here would be to relax Rack's parsing or to change your application code to account for this. I'll look into it a bit more this week. |
Hi @JunichiIto, I am not sure how I missed it the first time I looked, but turns out this issue is already fixed In Rack, but the fix wasn't included in the last release. I asked the Rack maintainers if they could cut a release with the fix, but you don't have to wait. If you point your Gemfile to the Rack repo, you can use the new version today. To do so replace (or add) the Rack gem in your Gemfile with either:
or Then run |
Hi @JoeDupuis , thank you for letting me know. I confirmed the latest "2-2-stable" resolved this issue. I appreciate your support! |
@JunichiIto The maintainers of Rack just released new releases for Rack 2 and 3 containing the fix! You can revert back your gemfile so that it doesn't point to github if desired. I believe Installing gems from github is a bit slower. |
Thanks for getting this sorted @JoeDupuis! |
@JoeDupuis That's great news! I appreciate your support 😃 |
Overview
Axios can post empty form data as multipart/form-data:
The code above will request the following form data:
Rails 7.0.4.3 was able to process such data, but Rails 7.0.5 raises ActionController::BadRequest error.
I created a sample app to reproduce this error:
https://github.com/JunichiIto/empty-multipart-sandbox
Steps to reproduce
Please clone my sample app: https://github.com/JunichiIto/empty-multipart-sandbox
The main branch is running on Rails 7.0.4.3 and tests will pass:
Then, please checkout rails-7-0-5 branch and run tests. They will fail:
Expected behavior
The test should pass like Rails 7.0.4.3.
Actual behavior
As mentioned above, it fails.
Investigation
This issue was introduced by #45833
ActionController::BadRequest should be rescued here: https://github.com/rails/rails/blob/v7.0.5/actionpack/lib/action_dispatch/http/parameters.rb#L56
I wrote a sample patch in rails-7-0-5-with-patch branch: https://github.com/JunichiIto/empty-multipart-sandbox/blob/rails-7-0-5-with-patch/config/initializers/actionpack.rb#L10-L15
With the patch, the tests will pass on Rails 7.0.5.
System configuration
Rails version: 7.0.5
Ruby version: 3.3.0
The text was updated successfully, but these errors were encountered: