Bug #12782

AtoM returns 200 HTTP status when bots and curl requests attempt to access restricted pages (such as the web installer); should return 403 instead

Added by Dan Gillean 9 months ago. Updated 2 months ago.

Status:VerifiedStart date:02/06/2019
Priority:MediumDue date:
Assignee:Dan Gillean% Done:

0%

Category:Security
Target version:Release 2.5.2
Google Code Legacy ID: Tested version:2.4, 2.5
Sponsored:No Requires documentation:

Description

First discovered via the AtoM User Forum, 2019-02-05: https://groups.google.com/d/msg/ica-atom-users/XN-IRUUhzM0/AU7Slrz-FgAJ

Currently, a public user cannot access the web installer pages in AtoM. However, since AtoM supplies a valid webpage (which includes a custom "permission denied" message), bots and curl requests to these restricted pages still return an HTTP 200 status code. We should instead consider returning a 403(forbidden) code in these cases.

To reproduce

  • use cURL to try to access the web installer for a site to which you have access to the Nginx access logs - e.g.:
curl http://10.10.10.10/index.php/sfInstallPlugin/configureDatabase
  • Now access the Nginx access logs for the site:
sudo tail -f /var/log/nginx/access.log

Resulting error

The curl request returns a 200 status. This is because a webpage is successfully served (though it says access denied)

Expected result

The curl request should return a 403 status.

History

#1 Updated by Mike Cantelon 3 months ago

  • Status changed from New to Code Review

#2 Updated by Mike Cantelon 3 months ago

  • Status changed from Code Review to QA/Review

Merged into qa/2.6.x.

#3 Updated by Dan Gillean 3 months ago

  • Status changed from QA/Review to In progress
  • Assignee set to Mike Cantelon
  • Target version set to Release 2.5.2

Looks good in 2.6 - feel free to backport to stable/2.5.x!

#4 Updated by Mike Cantelon 3 months ago

  • Status changed from In progress to QA/Review
  • Assignee changed from Mike Cantelon to Dan Gillean

Backported to stable/2.5.x.

#5 Updated by Dan Gillean 2 months ago

  • Status changed from QA/Review to Verified

Also available in: Atom PDF