Pull request: 4970-error-415

Updates #4970. Squashed commit of the following: commit 10365d9c8474e9d9735f581fb32b2892b2153cc4 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Sep 30 14:23:06 2022 +0300 all: imp docs, names commit cff1103a0618a6430dc91e7e018febbf313c12ba Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Sep 30 14:02:38 2022 +0300 home: imp content-type check
2022-09-30 14:41:25 +03:00
parent 7b48863041
commit 4d404b887f
7 changed files with 122 additions and 60 deletions
--- a/openapi/CHANGELOG.md
+++ b/openapi/CHANGELOG.md
@@ -6,6 +6,28 @@



+## v0.107.15: `POST` Requests Without Bodies
+
+As an additional CSRF protection measure, AdGuard Home now ensures that requests
+that change its state but have no body do not have a `Content-Type` header set
+on them.
+
+This concerns the following APIs:
+
+* `POST /control/dhcp/reset_leases`;
+* `POST /control/dhcp/reset`;
+* `POST /control/parental/disable`;
+* `POST /control/parental/enable`;
+* `POST /control/querylog_clear`;
+* `POST /control/safebrowsing/disable`;
+* `POST /control/safebrowsing/enable`;
+* `POST /control/safesearch/disable`;
+* `POST /control/safesearch/enable`;
+* `POST /control/stats_reset`;
+* `POST /control/update`.
+
+
+
 ## v0.107.14: BREAKING API CHANGES

 A Cross-Site Request Forgery (CSRF) vulnerability has been discovered.  We have
@@ -13,6 +35,9 @@ implemented several measures to prevent such vulnerabilities in the future, but
 some of these measures break backwards compatibility for the sake of better
 protection.

+All JSON APIs that expect a body now check if the request actually has
+`Content-Type` set to `application/json`.
+
 All new formats for the request and response bodies are documented in
 `openapi.yaml`.