Defect #23240
closedEach HTTP HEAD request renders views and tries to login?
0%
Description
A HTTP HEAD request is supposed to only return the HEADERS of a site to check for availablity or expiry dates and such.
I think it's not supposed to render views and load plugins in order to do so.
But with Redmine 3.2 it does!
This is from my redmine logfile where xxx.xxx.xxx.xxx is a GitLab server checking for ceonnection-availability:
Started HEAD "/projects/PROJECT-ID/" for xxx.xxx.xxx.xxx at 2016-07-05 10:24:49 +0200 Processing by ProjectsController#show as */* Parameters: {"id"=>"PROJECT-ID"} Current user: anonymous Redirected to https://my-redmine-instance/login?back_url=https%3A%2F%2Fmy-redmine-instance%2Fprojects%2FPROJECT-ID Filter chain halted as :check_if_login_required rendered or redirected Completed 302 Found in 4ms (ActiveRecord: 0.5ms) Started HEAD "login?back_url=https%3A%2F%2Fmy-redmine-instance%2Fprojects%2FPROJECT-ID" for xxx.xxx.xxx.xxx at 2016-07-05 10:24:49 +0200 Processing by AccountController#login as */* Parameters: {"back_url"=>"https://my-redmine-instance/projects/PROJECT-ID"} Current user: anonymous Failed login for '' from xxx.xxx.xxx.xxx at 2016-07-05 08:24:49 UTC Completed 200 OK in 356ms (Views: 323.6ms | ActiveRecord: 2.9ms)
It's not only loading views, but also the AccountController tries to perform a login?!
I'm not sure that is correct behaviour...
Cheers,
Tobias
Updated by Jean-Philippe Lang over 8 years ago
- Status changed from New to Needs feedback
I think it's not supposed to render views and load plugins in order to do so.
The response to a HEAD request is supposed to be the same as the corresponding GET request but without including the response body. There is no expectation on how the server should behave internally to do so.
As far as I can see, this is what happens (even if the application renders the view, only the response headers are sent to the client). If the response to the GET request is a redirect to /login then the response the HEAD request should be the same.
Please, explain how you consider this as a security issue.
Updated by Tobias Fischer over 8 years ago
Hi Jean-Philippe,
thanks for your explanations.
Sure, the response contains only the HEADER information, but I wasn't sure about whether this was affecting security, whether the redirects and view rendering should happen or not. Still I feel a bit nervous about all the action taking place when sending a HEAD request, but I probably don't know enough Ruby on Rails to draw the perfect picture for me...
anyways, If you think this is the correct way I'm sorry for having bothered you.
Cheers,
Tobias
Updated by Go MAEDA over 2 years ago
- Status changed from Needs feedback to Closed
- Priority changed from High to Normal
- Resolution set to Invalid