Changes to content-type handling
Ed Tanous
ed at tanous.net
Sat Jun 10 07:45:27 AEST 2023
TL; DR if you start seeing unexplained 400 errors on POST/PATCH, read further.
A recent bmcweb change will be changing the way Content-Type is
handled by default for incoming requests.
https://gerrit.openbmc.org/c/openbmc/bmcweb/+/64072
While this is technically in line with both the HTTP RFC as well as
the Redfish spec, it is quite possible that clients written and tested
against only OpenBMC might be setting the content-type header
incorrectly, in which bmcweb will now return a 400 error rather than
silently accepting. This is in line with OWASP guidelines for
webservers.
This behavior is controlled by an meson option flag
"insecure-ignore-content-type" that has been checked in for some time.
If you need to opt out of the behavior for some time to make sure your
clients are brought up to compatibility. All of the Redfish tools
have been tested, the examples have been updated a while ago, and the
webui works as intended, so for clients following the specification,
this should have no impact.
-Ed
More information about the openbmc
mailing list