Defect #23240

Each HTTP HEAD request renders views and tries to login?

Added by Tobias Fischer almost 6 years ago. Updated almost 6 years ago.

Status:Needs feedbackStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution: Affected version:3.2.3

Description

A HTTP HEAD request is supposed to only return the HEADERS of a site to check for availablity or expiry dates and such.
I think it's not supposed to render views and load plugins in order to do so.
But with Redmine 3.2 it does!

This is from my redmine logfile where xxx.xxx.xxx.xxx is a GitLab server checking for ceonnection-availability:

Started HEAD "/projects/PROJECT-ID/" for xxx.xxx.xxx.xxx at 2016-07-05 10:24:49 +0200
Processing by ProjectsController#show as */*
  Parameters: {"id"=>"PROJECT-ID"}
  Current user: anonymous
Redirected to https://my-redmine-instance/login?back_url=https%3A%2F%2Fmy-redmine-instance%2Fprojects%2FPROJECT-ID
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 4ms (ActiveRecord: 0.5ms)
Started HEAD "login?back_url=https%3A%2F%2Fmy-redmine-instance%2Fprojects%2FPROJECT-ID" for xxx.xxx.xxx.xxx at 2016-07-05 10:24:49 +0200
Processing by AccountController#login as */*
  Parameters: {"back_url"=>"https://my-redmine-instance/projects/PROJECT-ID"}
  Current user: anonymous
Failed login for '' from xxx.xxx.xxx.xxx at 2016-07-05 08:24:49 UTC
Completed 200 OK in 356ms (Views: 323.6ms | ActiveRecord: 2.9ms)

It's not only loading views, but also the AccountController tries to perform a login?!
I'm not sure that is correct behaviour...

Cheers,
Tobias

History

#1 Updated by Jean-Philippe Lang almost 6 years ago

  • Status changed from New to Needs feedback

I think it's not supposed to render views and load plugins in order to do so.

The response to a HEAD request is supposed to be the same as the corresponding GET request but without including the response body. There is no expectation on how the server should behave internally to do so.

As far as I can see, this is what happens (even if the application renders the view, only the response headers are sent to the client). If the response to the GET request is a redirect to /login then the response the HEAD request should be the same.

Please, explain how you consider this as a security issue.

#2 Updated by Tobias Fischer almost 6 years ago

Hi Jean-Philippe,

thanks for your explanations.

Sure, the response contains only the HEADER information, but I wasn't sure about whether this was affecting security, whether the redirects and view rendering should happen or not. Still I feel a bit nervous about all the action taking place when sending a HEAD request, but I probably don't know enough Ruby on Rails to draw the perfect picture for me...
anyways, If you think this is the correct way I'm sorry for having bothered you.

Cheers,
Tobias

Also available in: Atom PDF