Skip to content

Commit aabe2c7

Browse files
tiangolotiangolo
committed
📝 Update release notes
1 parent 377234a commit aabe2c7

File tree

1 file changed

+19
-1
lines changed

1 file changed

+19
-1
lines changed

docs/en/docs/release-notes.md

+19-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,25 @@
22

33
## Latest Changes
44

5-
* 🐛 Check Content-Type request header before assuming JSON. PR [#2118](https://github.com/tiangolo/fastapi/pull/2118) by [@patrickkwang](https://github.com/patrickkwang).
5+
6+
### Security fixes
7+
8+
* 🔒 Check Content-Type request header before assuming JSON. Initial PR [#2118](https://github.com/tiangolo/fastapi/pull/2118) by [@patrickkwang](https://github.com/patrickkwang).
9+
10+
This change fixes a [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) security vulnerability when using cookies for authentication in path operations with JSON payloads sent by browsers.
11+
12+
In versions lower than `0.65.2`, FastAPI would try to read the request payload as JSON even if the `content-type` header sent was not set to `application/json` or a compatible JSON media type (e.g. `application/geo+json`).
13+
14+
So, a request with a content type of `text/plain` containing JSON data would be accepted and the JSON data would be extracted.
15+
16+
But requests with content type `text/plain` are exempt from [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) preflights, for being considered [Simple requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests). So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application.
17+
18+
See [CVE-2021-32677](https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7) for more details.
19+
20+
Thanks to [Dima Boger](https://twitter.com/b0g3r) for the security report! 🙇🔒
21+
22+
### Internal
23+
624
* 🔧 Update sponsors badge, course bundle. PR [#3340](https://github.com/tiangolo/fastapi/pull/3340) by [@tiangolo](https://github.com/tiangolo).
725
* 🔧 Add new gold sponsor Jina 🎉. PR [#3291](https://github.com/tiangolo/fastapi/pull/3291) by [@tiangolo](https://github.com/tiangolo).
826
* 🔧 Add new banner sponsor badge for FastAPI courses bundle. PR [#3288](https://github.com/tiangolo/fastapi/pull/3288) by [@tiangolo](https://github.com/tiangolo).

0 commit comments

Comments
 (0)