Project

General

Profile

Actions

Defect #23240

closed

Each HTTP HEAD request renders views and tries to login?

Added by Tobias Fischer over 8 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

A HTTP HEAD request is supposed to only return the HEADERS of a site to check for availablity or expiry dates and such.
I think it's not supposed to render views and load plugins in order to do so.
But with Redmine 3.2 it does!

This is from my redmine logfile where xxx.xxx.xxx.xxx is a GitLab server checking for ceonnection-availability:

Started HEAD "/projects/PROJECT-ID/" for xxx.xxx.xxx.xxx at 2016-07-05 10:24:49 +0200
Processing by ProjectsController#show as */*
  Parameters: {"id"=>"PROJECT-ID"}
  Current user: anonymous
Redirected to https://my-redmine-instance/login?back_url=https%3A%2F%2Fmy-redmine-instance%2Fprojects%2FPROJECT-ID
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 4ms (ActiveRecord: 0.5ms)
Started HEAD "login?back_url=https%3A%2F%2Fmy-redmine-instance%2Fprojects%2FPROJECT-ID" for xxx.xxx.xxx.xxx at 2016-07-05 10:24:49 +0200
Processing by AccountController#login as */*
  Parameters: {"back_url"=>"https://my-redmine-instance/projects/PROJECT-ID"}
  Current user: anonymous
Failed login for '' from xxx.xxx.xxx.xxx at 2016-07-05 08:24:49 UTC
Completed 200 OK in 356ms (Views: 323.6ms | ActiveRecord: 2.9ms)

It's not only loading views, but also the AccountController tries to perform a login?!
I'm not sure that is correct behaviour...

Cheers,
Tobias

Actions

Also available in: Atom PDF