Bug #12782
AtoM returns 200 HTTP status when bots and curl requests attempt to access restricted pages (such as the web installer); should return 403 instead
Status: | Verified | Start date: | 02/06/2019 | |
---|---|---|---|---|
Priority: | Medium | Due date: | ||
Assignee: | Dan Gillean | % Done: | 0% | |
Category: | Security | |||
Target version: | Release 2.5.2 | |||
Google Code Legacy ID: | Tested version: | 2.4, 2.5 | ||
Sponsored: | No | Requires documentation: |
Description
First discovered via the AtoM User Forum, 2019-02-05: https://groups.google.com/d/msg/ica-atom-users/XN-IRUUhzM0/AU7Slrz-FgAJ
Currently, a public user cannot access the web installer pages in AtoM. However, since AtoM supplies a valid webpage (which includes a custom "permission denied" message), bots and curl requests to these restricted pages still return an HTTP 200 status code. We should instead consider returning a 403(forbidden) code in these cases.
To reproduce
- use cURL to try to access the web installer for a site to which you have access to the Nginx access logs - e.g.:
curl http://10.10.10.10/index.php/sfInstallPlugin/configureDatabase
- Now access the Nginx access logs for the site:
sudo tail -f /var/log/nginx/access.log
Resulting error
The curl request returns a 200 status. This is because a webpage is successfully served (though it says access denied)
Expected result
The curl request should return a 403 status.
History
#1 Updated by Mike Cantelon almost 3 years ago
- Status changed from New to Code Review
PR for CR: https://github.com/artefactual/atom/pull/937
#2 Updated by Mike Cantelon almost 3 years ago
- Status changed from Code Review to QA/Review
Merged into qa/2.6.x.
#3 Updated by Dan Gillean almost 3 years ago
- Status changed from QA/Review to In progress
- Assignee set to Mike Cantelon
- Target version set to Release 2.5.2
Looks good in 2.6 - feel free to backport to stable/2.5.x!
#4 Updated by Mike Cantelon almost 3 years ago
- Status changed from In progress to QA/Review
- Assignee changed from Mike Cantelon to Dan Gillean
Backported to stable/2.5.x.
#5 Updated by Dan Gillean almost 3 years ago
- Status changed from QA/Review to Verified