Project

General

Profile

Actions

Defect #40121

open

InvalidCrossOriginRequest exception raised by automated pentests or malicous user

Added by Liane Hampe 10 months ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

Problem

When an automated pentest or a malicous user requests for example:

https://<your-domain>.tld/projects/autocomplete.js

the following exception will be raised:

An ActionController::InvalidCrossOriginRequest occurred in projects#autocomplete:

  Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.

Note: Any other url containing *.js will raise this exception.

All currently supported versions of Redmine are affected.

Solution

The solution is to rescue from ActionController::InvalidCrossOriginRequest.

The attached patch file fix_invalid_cross_origin_request_exception.patch gives an example how to do that. A test is also included.


Files

Actions

Also available in: Atom PDF