Mvc: Querystring with empty key will fill every parameter with the specified value
Is this a Bug or Feature request?: BUG
Steps to reproduce (preferably a link to a GitHub repo with a repro project):
using the query with a empty key ("?=bug") will result in all* parameters being filled with the value ("bug") specified
https://github.com/KLuuKer/bug-url-query-param
Description of the problem:
when sending the following url ?=bug every parameter will get filled with the string "bug" (except those with the FromQuery attribute that has the Name= property specified)
Version of Microsoft.AspNetCore.App:
<Project Sdk="Microsoft.NET.Sdk.Web">
<TargetFramework>netcoreapp2.1</TargetFramework>
<PackageReference Include="Microsoft.AspNetCore.App" />
happening on production box with 'hosting runtime bundle v2.1.4'
and when running debug with visual studio 15.9.0 preview 2
KLuuKer
All 7 comments
@pranavkm, can you please look into this? Thanks!
mkArtakMSFT
on 20 Sep 2018
SetModelValue() in Microsoft.AspNetCore.Mvc.Abstractions\ModelBinding\ModelStateDictionary.cs is checking key is null but not checking it is empty.
charmis
on 21 Sep 2018
The behavior is by design - MVC's model binding falls back to an empty string if it cannot find the value for a top level parameter or property name appear in the request. The most common case for this is to allow posting user models without having a prefix. Consider:
```C#
public class SearchFilter
{
string SearchTerm { get; set; }
}
public IActionResult Search(SearchFilter filter)
The `filter` parameter gets bound with a view that looks like:
```html
<form method="post">
<input type="text" name="SearchTerm" />
<!-- This is what you get when you do `<input asp-for="SearchTerm" />` -->
OR
<input type="text" name="filter.SearchTerm" />
...
</form>
In a scenario like this, MVC looks for any input that start with the key "filter". This allows the second kind of input to bind correctly. In the absence of this, MVC falls back to an "empty" prefix and uses that to model bind the object graph of SearchFilter.
The scenario that you listed is a corner case of the behavior, MVC looks for the key "a", failing which it falls back to the empty prefix. Slightly related, browsers (I tried Chrome and Edge) don't send form elements with empty name (<input type="text" name="" />) with the request.
pranavkm
on 24 Sep 2018
I understand that it behaves this way because of the way our system is implemented, but surely we could do something about this? This doesn't seem like a reasonable behaviour that anyone could take a dependency one.
rynowak
on 24 Sep 2018
I agree with @rynowak , I understand this is because the way the it's designed for form post's, but having this also be the case for http GET querystring parameters is just really really weird imho.
Also if I would like to work around this "bug" so it behaves "correctly" I will have to end up adding [FromQuery(Name="x")] to every parameter in my code....
KLuuKer
on 25 Sep 2018
Reopening. We could ignore empty strings for QueryStringValueProvider. That said, @KLuuKer how did you end up with a empty-valued key? AFAIK, MVC wouldn't generate a link with an empty key and browser forms ignore it.
pranavkm
on 25 Sep 2018
@pakrym TL;DR OSI Layer 8...
We use some query parameters to prefill data (vouchers\affiliates\etc)
and a no tech co-worker forgot what the key was that she needed to use.
So she started building the url ?=somevalue and was then going to figure out what the correct key is, except then it just "worked" when she hit enter and just used it as is...
KLuuKer
on 26 Sep 2018
Related issues
Lutando
路
4Comments
miroslavsiska
路
4Comments
rynowak
路
3Comments
MariovanZeist
路
4Comments
nefcanto
路
3Comments