fix: reuse cached form in consumeForm (multipart + antiforgery)#154
Open
michaelglass wants to merge 1 commit intofalcoframework:masterfrom
Open
fix: reuse cached form in consumeForm (multipart + antiforgery)#154michaelglass wants to merge 1 commit intofalcoframework:masterfrom
michaelglass wants to merge 1 commit intofalcoframework:masterfrom
Conversation
…-read bug When antiforgery validation runs before Request.getForm (e.g. via getFormOptions / mapForm / validateCsrfToken), IAntiforgery.ValidateRequestAsync reads and buffers the form body via ReadFormAsync. For multipart/form-data POSTs, consumeForm would then branch into StreamFormAsync, which re-reads the (now-drained) body and fails with 'Unexpected end of Stream'. Detect that the form has already been parsed by checking the request's IFormFeature and reuse the cached ctx.Request.Form in that case, instead of attempting to re-read the stream.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When antiforgery validation runs before
Request.getForm(the flowgetFormSecureuses internally),IAntiforgery.ValidateRequestAsyncreads and buffers the form body viaReadFormAsync. Formultipart/form-data,consumeFormwould then take theStreamFormAsyncbranch and re-read the now-drained stream, failing withIOException: Unexpected end of Stream. Non-multipart was fine becauseReadFormAsyncreturns the cachedHttpRequest.Form.Fix: detect the already-parsed form via
IFormFeature.Formand reuse it before deciding between streaming and non-streaming read.Regression test:
AntiforgeryMultipartTests.POST multipart/form-data with valid CSRF token succeeds via getForm— asserted to fail onupstream/masterwith the IOException, passes with the fix. A second guard test covers the urlencoded path so it can't regress in the other direction.