Patch #25653
closed
Fix NoMethodError on HEAD requests to AccountController#register
0%
Description
The attached patch fixes a NoMethodError when attempting to run a HEAD request against AccountController#register.
The cause of the bug is that HEAD requests did not trigger the check for request.get?.
Files
Updated by Go MAEDA over 7 years ago
- Target version set to 3.2.7
I cannot reproduce the problem but I think that merging this fix is very reasonable because lines after source:tags/3.3.3/app/controllers/account_controller.rb@16536#L130 should be executed only when request is POST.
$ curl -v --head http://localhost:3000/account/register * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 3000 (#0) > HEAD /account/register HTTP/1.1 > Host: localhost:3000 > User-Agent: curl/7.51.0 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK
Updated by Holger Just over 7 years ago
Hmmm, we had indeed only seen the error on Redmine 3.3, more specifically in http://www.redmine.org/projects/redmine/repository/revisions/16536/entry/tags/3.3.3/app/controllers/account_controller.rb#L148.
In current trunk, this code is now a bit different so that the exception doesn't occur anymore. However, it would still be desirable to not perform the registration from a HEAD request, as Go Maeda wrote above.
Now that I had a look around, the same issue is present in AccountController#login. There, it's again not an exception on HEAD but Redmine still attempts a login from the supplied URL parameters which is not desirable.
Updated by Holger Just over 7 years ago
- File 0002-Only-perform-login-action-on-explicit-POST.patch 0002-Only-perform-login-action-on-explicit-POST.patch added
The attached patch also fixed the additional issue described in #25653#note-2
Updated by Jean-Philippe Lang over 7 years ago
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
Patches committed, thanks.
Updated by Jean-Philippe Lang over 7 years ago
- Status changed from Resolved to Closed