Actions
Defect #23240
closedEach HTTP HEAD request renders views and tries to login?
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Invalid
Affected version:
Description
A HTTP HEAD request is supposed to only return the HEADERS of a site to check for availablity or expiry dates and such.
I think it's not supposed to render views and load plugins in order to do so.
But with Redmine 3.2 it does!
This is from my redmine logfile where xxx.xxx.xxx.xxx is a GitLab server checking for ceonnection-availability:
Started HEAD "/projects/PROJECT-ID/" for xxx.xxx.xxx.xxx at 2016-07-05 10:24:49 +0200 Processing by ProjectsController#show as */* Parameters: {"id"=>"PROJECT-ID"} Current user: anonymous Redirected to https://my-redmine-instance/login?back_url=https%3A%2F%2Fmy-redmine-instance%2Fprojects%2FPROJECT-ID Filter chain halted as :check_if_login_required rendered or redirected Completed 302 Found in 4ms (ActiveRecord: 0.5ms) Started HEAD "login?back_url=https%3A%2F%2Fmy-redmine-instance%2Fprojects%2FPROJECT-ID" for xxx.xxx.xxx.xxx at 2016-07-05 10:24:49 +0200 Processing by AccountController#login as */* Parameters: {"back_url"=>"https://my-redmine-instance/projects/PROJECT-ID"} Current user: anonymous Failed login for '' from xxx.xxx.xxx.xxx at 2016-07-05 08:24:49 UTC Completed 200 OK in 356ms (Views: 323.6ms | ActiveRecord: 2.9ms)
It's not only loading views, but also the AccountController tries to perform a login?!
I'm not sure that is correct behaviour...
Cheers,
Tobias
Actions