Add option for validating content-type header

For systems implementing to the OWASP security guidelines[1] (of which all
should ideally) we should be checking the content-type header all times
that we parse a request as JSON.

This commit adds an option for parsing content-type, and sets a default
of "must get content-type".  Ideally this would not be a breaking
change, but given the number of guides and scripts that omit the content
type, it seems worthwhile to add a trapdoor, such that people can opt
into their own model on how they would like to see this checking work.

Tested:
```
curl --insecure -H "Content-Type: application/json" -X POST -D headers.txt https://${bmc}/redfish/v1/SessionService/Sessions -d    '{"UserName":"root", "Password":"0penBmc"}'
```

Succeeds.

Removing Content-Type argument causes bmc to return
Base.1.13.0.UnrecognizedRequestBody.

[1] cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Change-Id: Iaa47dd563b40036ff2fc2cacb70d941fd8853038
Signed-off-by: Ed Tanous <edtanous@google.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/meson_options.txt b/meson_options.txt
index ecc7aebc22..52c3e6cefb 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -293,6 +293,17 @@ option(
 )
 
 option(
+    'insecure-ignore-content-type',
+    type: 'feature',
+    value: 'enabled',
+    description: '''Allows parsing PUT/POST/PATCH content as JSON regardless
+                    of the presence of the content-type header.  Enabling this
+                    conflicts with the input parsing guidelines, but may be
+                    required to support old clients that may not set the
+                    Content-Type header on payloads.'''
+)
+
+option(
     'insecure-push-style-notification',
     type: 'feature',
     value: 'disabled',