♻ Assume request bodies contain JSON when no Content-Type header is provided

[tiangolo]

♻ Assume request bodies contain JSON when no Content-Type header is provided

This is related to #2118 and the CVE GHSA-8h2j-cgx8-6xv7 about CSRF.

Some clients already assume that request bodies are read as JSON, even when no content-type header is set: #2118 (comment)

And the risk of CSRF only applies for specific Content-Type headers, so, no Content-Type header is already protected from CORS preflights: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

[codecov]

Codecov Report

Merging #3456 (540f19f) into master (00a8420) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff             @@
##            master     #3456    +/-   ##
==========================================
  Coverage   100.00%   100.00%            
==========================================
  Files          226       248    +22     
  Lines         6783      7717   +934     
==========================================
+ Hits          6783      7717   +934     

Impacted Files	Coverage Δ
tests/main.py	100.00% <0.00%> (ø)
fastapi/utils.py	100.00% <0.00%> (ø)
fastapi/params.py	100.00% <0.00%> (ø)
fastapi/routing.py	100.00% <0.00%> (ø)
fastapi/encoders.py	100.00% <0.00%> (ø)
fastapi/requests.py	100.00% <0.00%> (ø)
fastapi/responses.py	100.00% <0.00%> (ø)
fastapi/exceptions.py	100.00% <0.00%> (ø)
fastapi/concurrency.py	100.00% <0.00%> (ø)
fastapi/applications.py	100.00% <0.00%> (ø)
... and 69 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7eb17fc...540f19f. Read the comment docs.

[github-actions]

🚀 Deployed on https://60e08f3bd44d37af8df57874--fastapi.netlify.app

[LironSherk]

Hi,
I'm sending a request with no Content-Type header but got the same error before this fix.
when I put a breakpoint on the line
if not content_type_value

it equals: 'text/plain;charset=UTF-8'

in node-fetch, if developer didn't provide Content-Type the default is : 'text/plain;charset=UTF-8'

so all node servers that sending JSON requests to fastapi without providing Content-Type will fail.

[falkben]

Hi,
I'm sending a request with no Content-Type header but got the same error before this fix.
when I put a breakpoint on the line
if not content_type_value

it equals: 'text/plain;charset=UTF-8'

in node-fetch, if developer didn't provide Content-Type the default is : 'text/plain;charset=UTF-8'

so all node servers that sending JSON requests to fastapi without providing Content-Type will fail.

I think you should either change the default you are sending w/ node-fetch or make sure the content-type is specified on every request. Assuming json when the content type was sent as text/plain is not correct. CORS specifically checks text/plain, so to do so we'd be back in the same situation as GHSA-8h2j-cgx8-6xv7.