Add: disallow empty bodies for PUT and POST requests

4 files changed, 12 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 7eb3e55..ab33e6e 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ This file summarizes changes between releases of `apifw`.
 Version 0.14+git, not yet released
 ----------------------------------
 
+* Disallow empty bodies for POST and PUT requests. Status code 411 is
+  returned in that case.
 
 Version 0.14, released 2017-10-04
 ----------------------------------
diff --git a/apifw/__init__.py b/apifw/__init__.py
index 42c575b..7c1ce5b 100644
--- a/apifw/__init__.py
+++ b/apifw/__init__.py
@@ -24,6 +24,7 @@ from .http import (
     HTTP_NOT_FOUND,
     HTTP_BAD_REQUEST,
     HTTP_CONFLICT,
+    HTTP_LENGTH_REQUIRED,
 )
 from .token import create_token, decode_token
 from .bottleapp import BottleApplication, create_bottle_application
diff --git a/apifw/bottleapp.py b/apifw/bottleapp.py
index 774e1c2..541ddfe 100644
--- a/apifw/bottleapp.py
+++ b/apifw/bottleapp.py
@@ -258,9 +258,15 @@ class BottleApplication:
         return wrapper
 
     def _get_request_body(self):
+        raw_body = bottle.request.body.read()
+        if bottle.request.method in ('POST', 'PUT'):
+            if len(raw_body) == 0:
+                raise bottle.HTTPError(
+                    apifw.HTTP_LENGTH_REQUIRED,
+                    body='Empty body not allowed for PUT/POST')
+
         json_type = 'application/json'
         content_type = bottle.request.get_header('Content-Type')
-        raw_body = bottle.request.body.read()
         if content_type != json_type:
             return content_type, raw_body
 
diff --git a/apifw/http.py b/apifw/http.py
index 62f9234..0675442 100644
--- a/apifw/http.py
+++ b/apifw/http.py
@@ -21,6 +21,8 @@ HTTP_FORBIDDEN = 403
 HTTP_NOT_FOUND = 404
 HTTP_BAD_REQUEST = 400
 HTTP_CONFLICT = 409
+HTTP_CONFLICT = 409
+HTTP_LENGTH_REQUIRED = 411
 
 
 class HttpTransaction: