From 13712de2e7953cd4e944613dbec3eb929996c254 Mon Sep 17 00:00:00 2001 From: Jared Kirschner Date: Mon, 13 Dec 2021 09:02:58 -0800 Subject: [PATCH] http: WARN if GET request has non-empty body Give the user a hint that they might be doing something wrong if their GET request has a non-empty body, which can easily happen using curl's --data-urlencode if specifying request type via "--request GET" rather than "--get". See https://github.com/hashicorp/consul/issues/11471. --- .changelog/11821.txt | 3 +++ agent/http.go | 11 +++++++++++ 2 files changed, 14 insertions(+) create mode 100644 .changelog/11821.txt diff --git a/.changelog/11821.txt b/.changelog/11821.txt new file mode 100644 index 000000000..323d48d05 --- /dev/null +++ b/.changelog/11821.txt @@ -0,0 +1,3 @@ +```release-note:improvement +http: if a GET request has a non-empty body, log a warning that suggests a possible problem (parameters were meant for the query string, but accidentally placed in the body) +``` \ No newline at end of file diff --git a/agent/http.go b/agent/http.go index b470547ed..251d973e4 100644 --- a/agent/http.go +++ b/agent/http.go @@ -543,6 +543,17 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc } else { err = s.checkWriteAccess(req) + // Give the user a hint that they might be doing something wrong if they issue a GET request + // with a non-empty body (e.g., parameters placed in body rather than query string). + if req.Method == http.MethodGet { + if req.ContentLength > 0 { + httpLogger.Warn("GET request has a non-empty body that will be ignored; "+ + "check whether parameters meant for the query string were accidentally placed in the body", + "url", logURL, + "from", req.RemoteAddr) + } + } + if err == nil { // Invoke the handler obj, err = handler(resp, req)