Project

General

Profile

Actions

Patch #39894

closed

Explicitly render a 404 on non-JS requests to watchers#new

Added by Holger Just 12 months ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Category:
Code cleanup/refactoring
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

The "Add watcher" button in the sidebar of issues is a javascript-ified link. Sometimes, crawlers hit this raw link and request non-JS data.

This currently results in the rendering JS template. However, the response is eventually blocked by ActionController::RequestForgeryProtection#verify_same_origin_request which is run as an after_action. This method then throws an ActionController::InvalidCrossOriginRequest error and denies sending the rendered data to the client to avoid sending an unauthorized cross-origin response.

This exception is then later handled by the ActionDispatch::ExceptionWrapper middleware which in turn send an empty 406 response.

The attached patch fixes this behavior by explicitly sending a 404 response when the (default) html format was requested for the watchers#new action. This hopefully keeps strange crawlers from further crawling this link...


Files


Related issues

Related to Redmine - Patch #39999: Explicitly render a 404 on non-JS requests to messages#quoteClosedMarius BĂLTEANU

Actions
Has duplicate Redmine - Defect #30489: Internal server error when click middle mouse button link add watcherClosedMarius BĂLTEANU

Actions
Actions #1

Updated by Marius BĂLTEANU 12 months ago

  • Assignee set to Marius BĂLTEANU
  • Target version set to 5.0.8

Thanks Holger for reporting and fixing this issue. I think the same was reported in #30489.

I'm assigning this to 5.0.8.

Actions #2

Updated by Marius BĂLTEANU 12 months ago

  • Has duplicate Defect #30489: Internal server error when click middle mouse button link add watcher added
Actions #3

Updated by Marius BĂLTEANU 12 months ago

  • Category set to Code cleanup/refactoring
  • Status changed from New to Resolved

Committed with a test!

Actions #4

Updated by Marius BĂLTEANU 12 months ago

  • Status changed from Resolved to Closed
Actions #5

Updated by Go MAEDA 12 months ago

  • Related to Patch #39999: Explicitly render a 404 on non-JS requests to messages#quote added
Actions

Also available in: Atom PDF