fix: reject non-JSON Content-Type with 415 and validate protocol version header on initialize#968
Open
suryateja-g13 wants to merge 1 commit into
Conversation
HttpServletStreamableServerTransportProvider accepted POST requests regardless of their Content-Type header, processing them normally even when declared as text/plain, application/x-www-form-urlencoded, or with no Content-Type at all. Add an early Content-Type check in doPost() that returns HTTP 415 Unsupported Media Type when the request Content-Type is absent or does not start with application/json, consistent with other MCP server implementations and browser/CORS hardening expectations. Also validate that the MCP-Protocol-Version request header on initialize requests is consistent with the protocolVersion field in the JSON-RPC body, returning HTTP 400 with a JSON-RPC INVALID_PARAMS error on mismatch. Fixes modelcontextprotocol#961 Fixes modelcontextprotocol#963 Signed-off-by: Gorre Surya <suryateja.g13@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #961 and #963.
Changes
#961 — Content-Type validation (HTTP 415)
HttpServletStreamableServerTransportProvider.doPost()accepted POST requests regardless of theirContent-Typeheader, processingtext/plain,application/x-www-form-urlencoded, and requests with noContent-Typeidentically toapplication/jsonrequests.Added an early guard in
doPost()that returns HTTP 415 Unsupported Media Type whenContent-Typeis absent or does not start withapplication/json.#963 — Protocol version header/body consistency on initialize
When the
MCP-Protocol-Versionrequest header on aninitializerequest disagrees withparams.protocolVersionin the JSON-RPC body, the server now returns HTTP 400 with a JSON-RPCINVALID_PARAMSerror rather than silently accepting the mismatched input.Test plan
Content-Type: text/plain→ 415Content-Type→ 415Content-Type: application/json→ proceeds normallyinitializewith header2025-03-26and body2025-11-25→ 400initializewith matching header and body → proceeds normallyinitializewith noMCP-Protocol-Versionheader → proceeds normally (header is optional)