diff options
| author | Ed Tanous <edtanous@google.com> | 2021-09-13 23:07:32 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2021-09-17 19:39:43 +0300 |
| commit | ad22fefecaf7988fd7072dc71042efbf86fc5162 (patch) | |
| tree | a3b9291f037b5b5aa4367bacd1ddb9f2034b1eb1 /redfish-core/lib/event_service.hpp | |
| parent | 7de9f811db3400121e1453b1fa3da09ae6df69f6 (diff) | |
| download | bmcweb-ad22fefecaf7988fd7072dc71042efbf86fc5162.tar.xz | |
Nullify HttpHeaders per the specification
Per the definition of HttpHeaders in the schema "This object shall be
null or an empty array in responses." This commit does as the
specification commands.
In theory, this could break clients that were checking the HttpHeaders
after posting it, but it's not being put behind an option flag in this
patchset for a couple reasons:
1. This has the potential to leak security secrets, as the normal use
case for this is to put in Authorization headers.
2. Given that the most likely client that would "break" is the one doing
the POST to this API, and it already has the data, it seems unlikely
that there's any implementation that would explicitly check that the
returned object is identical to the sent one, especially if error codes
are handled properly.
Tested:
curl -vvvv --insecure -u root:0penBmc "https://192.168.7.2:443/redfish/v1/EventService/Subscriptions" -X POST -d "{\"Destination\":\"http://192.168.7.2/foo\",\"Context\":\"Public\",\"Protocol\":\"Redfish\",\"HttpHeaders\": [{\"Foo\": \"Bar\"}]}"
Succeeded with 200
curl -vvvv --insecure -u root:0penBmc "https://192.168.7.2/redfish/v1/EventService/Subscriptions/405645225"
Returned
"HttpHeaders": [],
As part of its object
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I32181044d0af6b4395daea3f6ca4480022fc7553
Diffstat (limited to 'redfish-core/lib/event_service.hpp')
| -rw-r--r-- | redfish-core/lib/event_service.hpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/redfish-core/lib/event_service.hpp b/redfish-core/lib/event_service.hpp index 67ad014690..8609862694 100644 --- a/redfish-core/lib/event_service.hpp +++ b/redfish-core/lib/event_service.hpp @@ -518,7 +518,8 @@ inline void requestRoutesEventDestination(App& app) asyncResp->res.jsonValue["Context"] = subValue->customText; asyncResp->res.jsonValue["SubscriptionType"] = subValue->subscriptionType; - asyncResp->res.jsonValue["HttpHeaders"] = subValue->httpHeaders; + asyncResp->res.jsonValue["HttpHeaders"] = + nlohmann::json::array(); asyncResp->res.jsonValue["EventFormatType"] = subValue->eventFormatType; asyncResp->res.jsonValue["RegistryPrefixes"] = |