Bug #12782: AtoM returns 200 HTTP status when bots and curl requests attempt to access restricted pages (such as the web installer); should return 403 instead - Access to Memory (AtoM) - Artefactual Projects

Bug #12782

AtoM returns 200 HTTP status when bots and curl requests attempt to access restricted pages (such as the web installer); should return 403 instead

Added by Dan Gillean over 3 years ago. Updated almost 3 years ago.

Status:

Verified

Start date:

02/06/2019

Priority:

Medium

Due date:

Assignee:

Dan Gillean

% Done:

Category:

Security

Target version:

Release 2.5.2

Google Code Legacy ID:

Tested version:

2.4, 2.5

Sponsored:

Requires documentation:

Description

First discovered via the AtoM User Forum, 2019-02-05: https://groups.google.com/d/msg/ica-atom-users/XN-IRUUhzM0/AU7Slrz-FgAJ

Currently, a public user cannot access the web installer pages in AtoM. However, since AtoM supplies a valid webpage (which includes a custom "permission denied" message), bots and curl requests to these restricted pages still return an HTTP 200 status code. We should instead consider returning a 403(forbidden) code in these cases.

To reproduce

use cURL to try to access the web installer for a site to which you have access to the Nginx access logs - e.g.:

curl http://10.10.10.10/index.php/sfInstallPlugin/configureDatabase

Now access the Nginx access logs for the site:

sudo tail -f /var/log/nginx/access.log

Resulting error

The curl request returns a 200 status. This is because a webpage is successfully served (though it says access denied)

Expected result

The curl request should return a 403 status.

History

#1 Updated by Mike Cantelon almost 3 years ago

Status changed from New to Code Review

PR for CR: https://github.com/artefactual/atom/pull/937

#2 Updated by Mike Cantelon almost 3 years ago

Status changed from Code Review to QA/Review

Merged into qa/2.6.x.

#3 Updated by Dan Gillean almost 3 years ago

Status changed from QA/Review to In progress
Assignee set to Mike Cantelon
Target version set to Release 2.5.2

Looks good in 2.6 - feel free to backport to stable/2.5.x!

#4 Updated by Mike Cantelon almost 3 years ago

Status changed from In progress to QA/Review
Assignee changed from Mike Cantelon to Dan Gillean

Backported to stable/2.5.x.

#5 Updated by Dan Gillean almost 3 years ago

Status changed from QA/Review to Verified

Also available in: Atom PDF

Access to Memory (AtoM)

Issues

Custom queries