Internal server error triggered by "Accept-Charset" header with unexpected value


In the minimal example listed under “Routing DSL for HTTP servers” within the Akka HTTP documentation, an internal server error (HTTP response code 500) is triggered when an HTTP request is made with an unexpected value in the “Accept-Charset” header. This behavior can be replicated, for instance, using curl as follows:
curl http://localhost:8080/hello -H 'Accept-Charset: asd'
I tried this in Akka HTTP 10.5.2 and some earlier versions.

Based on the recommendations provided in the mdm web docs, I would expect the header to be ignored by default.

The current behavior becomes particularly problematic as malicious actors frequently try to inject code through this header; each attempt appears in my server logs.
I would appreciate a comment on this. Is there any global configuration option to prevent the header from being evaluated?

1 Like

Thanks for letting us know, sounds like a bug. The header value is fed to the unmarshallers, which can use the value or ignore it.

I would have expected that passing an invalid value would result in an UnacceptedResponseContentTypeRejection in the routing DSL and then turned into a 406 NotAcceptible response rather than internal server error (here RejectionHandler.scala#257).

Perhaps it is invalid enough to fail earlier than in the marshalling, and is not handled correctly in the request parsing. Please open up an issue in the akka-http issue tracker (Issues · akka/akka-http · GitHub) for it.

The issue in case anyone comes looking here: Internal server error triggered by “Accept-Charset” header with unexpected value · Issue #4295 · akka/akka-http · GitHub