aspnet
[Breaking change]: Minimal APIs consuming IFormFile or IFormFileCollection parameters require anti-forgery checks
Description
Minimal API endpoints that consume an IFormFile or IFormFileCollection will now be opted-in to requiring anti-forgery token validation using the new anti-forgery middleware.
Version
.NET 8 RC 1
Previous behavior
Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did not require anti-forgery validation.
New behavior
Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did require anti-forgery validation. An exception will be thrown at startup if the anti-forgery middleware is not registered for an API that defines these input types.
Type of breaking change
- [ ] Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
- [ ] Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code may require source changes to compile successfully.
- [X] Behavioral change: Existing binaries may behave differently at run time.
Reason for change
Anti-forgery token validation is a recommended security precaution for APIs that consume data from a form.
Recommended action
Users can opt out of anti-forgery validation for specific endpoints by using the DisableAntiforgery method like so:
var app = WebApplication.Create();
app.MapPost("/", (IFormFile formFile) => ...)
.DisableAntiforgery();
app.Run();
Affected APIs
None.
