From 7455abd9e0121116fc002029d709a7cf410b4195 Mon Sep 17 00:00:00 2001
From: Liam Mitchell <liam.mitchell@epicgames.com>
Date: Wed, 11 Feb 2026 18:08:07 -0800
Subject: Restrict content-type on POST requests to compact binary or JSON

---
 src/zenserver/storage/projectstore/httpprojectstore.cpp | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'src/zenserver/storage/projectstore/httpprojectstore.cpp')

diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 416e2ed69..575bf4354 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -1866,6 +1866,14 @@ HttpProjectService::HandleOpLogRequest(HttpRouterRequest& Req)
 				{
 					return HttpReq.WriteResponse(HttpResponseCode::InsufficientStorage);
 				}
+
+				if (HttpReq.RequestContentType() == HttpContentType::kText ||
+					HttpReq.RequestContentType() == HttpContentType::kUnknownContentType)
+				{
+					m_ProjectStats.BadRequestCount++;
+					return HttpReq.WriteResponse(HttpResponseCode::BadRequest, HttpContentType::kText, "Invalid request content type");
+				}
+
 				std::filesystem::path OplogMarkerPath;
 				if (CbObject Params = HttpReq.ReadPayloadObject())
 				{
@@ -2156,6 +2164,13 @@ HttpProjectService::HandleProjectRequest(HttpRouterRequest& Req)
 					return HttpReq.WriteResponse(HttpResponseCode::InsufficientStorage);
 				}
 
+				if (HttpReq.RequestContentType() == HttpContentType::kText ||
+					HttpReq.RequestContentType() == HttpContentType::kUnknownContentType)
+				{
+					m_ProjectStats.BadRequestCount++;
+					return HttpReq.WriteResponse(HttpResponseCode::BadRequest, HttpContentType::kText, "Invalid request content type");
+				}
+
 				CbValidateError ValidateResult;
 				if (CbObject Params = ValidateAndReadCompactBinaryObject(HttpReq.ReadPayload(), ValidateResult);
 					ValidateResult == CbValidateError::None)
@@ -2568,8 +2583,6 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 	switch (PayloadContentType)
 	{
 		case HttpContentType::kJSON:
-		case HttpContentType::kUnknownContentType:
-		case HttpContentType::kText:
 			{
 				std::string JsonText(reinterpret_cast<const char*>(Payload.GetData()), Payload.GetSize());
 				Cb = LoadCompactBinaryFromJson(JsonText).AsObject();
-- 
cgit v1.2.3


From 1cd70d1e875c2331d8a3c57aa8b0fd7267a63973 Mon Sep 17 00:00:00 2001
From: Liam Mitchell <liam.mitchell@epicgames.com>
Date: Wed, 4 Mar 2026 17:52:54 -0800
Subject: Allow requests with invalid content-types unless specified in command
 line or config

---
 .../storage/projectstore/httpprojectstore.cpp       | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

(limited to 'src/zenserver/storage/projectstore/httpprojectstore.cpp')

diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 575bf4354..fe32fa15b 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -535,7 +535,8 @@ HttpProjectService::HttpProjectService(CidStore&		  Store,
 									   HttpStatsService&  StatsService,
 									   AuthMgr&			  AuthMgr,
 									   OpenProcessCache&  InOpenProcessCache,
-									   JobQueue&		  InJobQueue)
+									   JobQueue&		  InJobQueue,
+									   bool				  InRestrictContentTypes)
 : m_Log(logging::Get("project"))
 , m_CidStore(Store)
 , m_ProjectStore(Projects)
@@ -544,6 +545,7 @@ HttpProjectService::HttpProjectService(CidStore&		  Store,
 , m_AuthMgr(AuthMgr)
 , m_OpenProcessCache(InOpenProcessCache)
 , m_JobQueue(InJobQueue)
+, m_RestrictContentTypes(InRestrictContentTypes)
 {
 	ZEN_MEMSCOPE(GetProjectHttpTag());
 
@@ -1867,8 +1869,8 @@ HttpProjectService::HandleOpLogRequest(HttpRouterRequest& Req)
 					return HttpReq.WriteResponse(HttpResponseCode::InsufficientStorage);
 				}
 
-				if (HttpReq.RequestContentType() == HttpContentType::kText ||
-					HttpReq.RequestContentType() == HttpContentType::kUnknownContentType)
+				if (m_RestrictContentTypes && (HttpReq.RequestContentType() == HttpContentType::kText ||
+											   HttpReq.RequestContentType() == HttpContentType::kUnknownContentType))
 				{
 					m_ProjectStats.BadRequestCount++;
 					return HttpReq.WriteResponse(HttpResponseCode::BadRequest, HttpContentType::kText, "Invalid request content type");
@@ -2164,8 +2166,8 @@ HttpProjectService::HandleProjectRequest(HttpRouterRequest& Req)
 					return HttpReq.WriteResponse(HttpResponseCode::InsufficientStorage);
 				}
 
-				if (HttpReq.RequestContentType() == HttpContentType::kText ||
-					HttpReq.RequestContentType() == HttpContentType::kUnknownContentType)
+				if (m_RestrictContentTypes && (HttpReq.RequestContentType() == HttpContentType::kText ||
+											   HttpReq.RequestContentType() == HttpContentType::kUnknownContentType))
 				{
 					m_ProjectStats.BadRequestCount++;
 					return HttpReq.WriteResponse(HttpResponseCode::BadRequest, HttpContentType::kText, "Invalid request content type");
@@ -2582,8 +2584,17 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 	CbObject		Cb;
 	switch (PayloadContentType)
 	{
+		case HttpContentType::kText:
+		case HttpContentType::kUnknownContentType:
 		case HttpContentType::kJSON:
 			{
+				if (m_RestrictContentTypes &&
+					(PayloadContentType == HttpContentType::kText || PayloadContentType == HttpContentType::kUnknownContentType))
+				{
+					m_ProjectStats.BadRequestCount++;
+					return HttpReq.WriteResponse(HttpResponseCode::BadRequest, HttpContentType::kText, "Invalid request content type");
+				}
+
 				std::string JsonText(reinterpret_cast<const char*>(Payload.GetData()), Payload.GetSize());
 				Cb = LoadCompactBinaryFromJson(JsonText).AsObject();
 				if (!Cb)
-- 
cgit v1.2.3