AtoM returns 200 HTTP status when bots and curl requests attempt to access restricted pages (such as the web installer); should return 403 instead
|Assignee:||Dan Gillean||% Done:|
|Target version:||Release 2.5.2|
|Google Code Legacy ID:||Tested version:||2.4, 2.5|
First discovered via the AtoM User Forum, 2019-02-05: https://groups.google.com/d/msg/ica-atom-users/XN-IRUUhzM0/AU7Slrz-FgAJ
Currently, a public user cannot access the web installer pages in AtoM. However, since AtoM supplies a valid webpage (which includes a custom "permission denied" message), bots and curl requests to these restricted pages still return an HTTP 200 status code. We should instead consider returning a 403(forbidden) code in these cases.
- use cURL to try to access the web installer for a site to which you have access to the Nginx access logs - e.g.:
- Now access the Nginx access logs for the site:
sudo tail -f /var/log/nginx/access.log
The curl request returns a 200 status. This is because a webpage is successfully served (though it says access denied)
The curl request should return a 403 status.