[openstreetmap/openstreetmap-website] old user preferences containing "%" break PUT on /api/0.6/user/preferences (Issue #4467)

Andy Allan notifications at github.com
Thu Jan 11 10:00:21 UTC 2024 

> Presumably, you're sending your request with a Content-Type application/x-www-form-urlencoded or something similar, in which case the request fails with HTTP 400.

I was investigating this yesterday, and came to the same conclusion. In fact, it's easily reproduced in our test suite, since the put requests fail with the same 400 response if you add a % character:

```diff
       xml = "<osm><changeset>" \
-            "<tag k='created_by' v='osm test suite checking changesets'/>" \
+            "<tag k='created_by' v='osm test suite checking changesets%'/>" \
             "</changeset></osm>"
```

```
Failure:
Api::ChangesetsControllerTest#test_create [/home/andy/src/openstreetmap-website/test/controllers/api/changesets_controller_test.rb:82]:
Creation of changeset did not return success status
```

```
Started PUT "/api/0.6/changeset/create" for 127.0.0.1 at 2024-01-11 09:52:24 +0000
  
Rack::QueryParser::InvalidParameterError (invalid %-encoding ('created_by' v='osm test suite checking changesets%'/></changeset></osm>))
```

If we add a "Content-Type: application/xml" header to the `put` request in the test suite, then that stops Rack from treating it as url-encoded payload, and correctly treats it as XML.

So the first step is as @mmd-osm explains - the client application should set the correct content-type header, and then it will hopefully work fine.

The second step is to open the discussion about whether we should set a default content-type for the API. This is one of these things were someone has built their client application, and it's worked fine without it, until someone hits an edge case and it breaks. Should we treat all requests to the XML api as application/xml by default, to avoid this from happening? Or should we start throwing errors for incorrect content types, so that developers find this out during testing rather than user reports year(s) later?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4467#issuecomment-1886759718
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4467/1886759718 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240111/6ff47d72/attachment-0001.htm>

More information about the rails-dev mailing list