Update form content check to reject multipart forms (IdentityServer#4502

)

* add extension method

* switch to new extension method

src/IdentityServer4/src/Endpoints/AuthorizeEndpoint.cs

@@ -40,7 +40,7 @@ public override async Task<IEndpointResult> ProcessAsync(HttpContext context)
             }
             else if (HttpMethods.IsPost(context.Request.Method))
             {
-                if (!context.Request.HasFormContentType)
+                if (!context.Request.HasApplicationFormContentType())
                 {
                     return new StatusCodeResult(HttpStatusCode.UnsupportedMediaType);
                 }

src/IdentityServer4/src/Endpoints/DeviceAuthorizationEndpoint.cs

@@ -54,7 +54,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
             _logger.LogTrace("Processing device authorize request.");
 
             // validate HTTP
-            if (!HttpMethods.IsPost(context.Request.Method) || !context.Request.HasFormContentType)
+            if (!HttpMethods.IsPost(context.Request.Method) || !context.Request.HasApplicationFormContentType())
             {
                 _logger.LogWarning("Invalid HTTP request for device authorize endpoint");
                 return Error(OidcConstants.TokenErrors.InvalidRequest);

src/IdentityServer4/src/Endpoints/IntrospectionEndpoint.cs

@@ -66,7 +66,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
                 return new StatusCodeResult(HttpStatusCode.MethodNotAllowed);
             }
 
-            if (!context.Request.HasFormContentType)
+            if (!context.Request.HasApplicationFormContentType())
             {
                 _logger.LogWarning("Invalid media type for introspection endpoint");
                 return new StatusCodeResult(HttpStatusCode.UnsupportedMediaType);

src/IdentityServer4/src/Endpoints/TokenEndpoint.cs

@@ -61,7 +61,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
             _logger.LogTrace("Processing token request.");
 
             // validate HTTP
-            if (!HttpMethods.IsPost(context.Request.Method) || !context.Request.HasFormContentType)
+            if (!HttpMethods.IsPost(context.Request.Method) || !context.Request.HasApplicationFormContentType())
             {
                 _logger.LogWarning("Invalid HTTP request for token endpoint");
                 return Error(OidcConstants.TokenErrors.InvalidRequest);

src/IdentityServer4/src/Endpoints/TokenRevocationEndpoint.cs

@@ -66,7 +66,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
                 return new StatusCodeResult(HttpStatusCode.MethodNotAllowed);
             }
 
-            if (!context.Request.HasFormContentType)
+            if (!context.Request.HasApplicationFormContentType())
             {
                 _logger.LogWarning("Invalid media type");
                 return new StatusCodeResult(HttpStatusCode.UnsupportedMediaType);

src/IdentityServer4/src/Extensions/HttpRequestExtensions.cs

@@ -2,8 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
+using System;
 using Microsoft.AspNetCore.Http;
 using System.Linq;
+using Microsoft.Net.Http.Headers;
 
 #pragma warning disable 1591
 
@@ -26,5 +28,18 @@ public static string GetCorsOrigin(this HttpRequest request)
 
             return null;
         }
+
+        internal static bool HasApplicationFormContentType(this HttpRequest request)
+        {
+            if (request.ContentType is null) return false;
+
+            if (MediaTypeHeaderValue.TryParse(request.ContentType, out var header))
+            {
+                // Content-Type: application/x-www-form-urlencoded; charset=utf-8
+                return header.MediaType.Equals("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase);
+            }
+
+            return false;
+        }
     }
 }

src/IdentityServer4/src/Validation/Default/BearerTokenUsageValidator.cs

@@ -41,7 +41,7 @@ public async Task<BearerTokenUsageValidationResult> ValidateAsync(HttpContext co
                 return result;
             }
 
-            if (context.Request.HasFormContentType)
+            if (context.Request.HasApplicationFormContentType())
             {
                 result = await ValidatePostBodyAsync(context);
                 if (result.TokenFound)

src/IdentityServer4/src/Validation/Default/JwtBearerClientAssertionSecretParser.cs

@@ -54,7 +54,7 @@ public async Task<ParsedSecret> ParseAsync(HttpContext context)
         {
             _logger.LogDebug("Start parsing for JWT client assertion in post body");
 
-            if (!context.Request.HasFormContentType)
+            if (!context.Request.HasApplicationFormContentType())
             {
                 _logger.LogDebug("Content type is not a form");
                 return null;

src/IdentityServer4/src/Validation/Default/MutualTlsSecretParser.cs

@@ -5,6 +5,7 @@
 using System.Linq;
 using System.Threading.Tasks;
 using IdentityServer4.Configuration;
+using IdentityServer4.Extensions;
 using IdentityServer4.Models;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
@@ -44,7 +45,7 @@ public async Task<ParsedSecret> ParseAsync(HttpContext context)
         {
             _logger.LogDebug("Start parsing for client id in post body");
 
-            if (!context.Request.HasFormContentType)
+            if (!context.Request.HasApplicationFormContentType())
             {
                 _logger.LogDebug("Content type is not a form");
                 return null;

src/IdentityServer4/src/Validation/Default/PostBodySecretParser.cs

@@ -51,7 +51,7 @@ public async Task<ParsedSecret> ParseAsync(HttpContext context)
         {
             _logger.LogDebug("Start parsing for secret in post body");
 
-            if (!context.Request.HasFormContentType)
+            if (!context.Request.HasApplicationFormContentType())
             {
                 _logger.LogDebug("Content type is not a form");
                 return null;