Defect #5460
closedHTTP 403 seen for some updates based on description contents containing https://
0%
Description
I have an issue with the detail as follows:
Tied to https://answers.launchpad.net/sparkle/+question/107876
… on subsequent update / journal add I get the following error:
Processing ApplicationController#index (for 174.115.64.120 at 2010-05-06 13:07:21) [GET] Parameters: {"commit"=>"Submit", "notes"=>"simple update", "authenticity_token"=>"DZFgt6vQgKDp9WtCM0GXZcDqy+Rd8LJ+QYPmv1XnQxk=", "issue"=>{"start_date"=>"2010-05-05", "estimated_hours"=>"", "priority_id"=>"5", "lock_version"=>"2", "fixed_version_id"=>"", "done_ratio"=>"0", "assigned_to_id"=>"", "subject"=>"Sparkle should work for app as well as SysPrefPane", "tracker_id"=>"1", "due_date"=>"", "status_id"=>"1", "description"=>"Tied to https://answers.launchpad.net/sparkle/+question/107876"}, "attachments"=>{"1"=>{"description"=>""}}} ActionController::RoutingError (No route matches "/403.shtml" with {:method=>:get}): Rendering /home/carpenet/rails_apps/redmine/public/404.html (404 Not Found)
… whereas if I change the exact same tickets description to:
Tied to answers.launchpad.net/sparkle/+question/107876
… the update works fine:
Processing IssuesController#edit (for 174.115.64.120 at 2010-05-06 13:12:51) [POST] Parameters: {"commit"=>"Submit", "notes"=>"simple update", "action"=>"edit", "authenticity_token"=>"DZFgt6vQgKDp9WtCM0GXZcDqy+Rd8LJ+QYPmv1XnQxk=", "id"=>"2", "issue"=>{"start_date"=>"2010-05-05", "estimated_hours"=>"", "priority_id"=>"5", "lock_version"=>"3", "fixed_version_id"=>"", "done_ratio"=>"0", "assigned_to_id"=>"", "subject"=>"Sparkle should work for app as well as SysPrefPane", "tracker_id"=>"1", "due_date"=>"", "status_id"=>"1", "description"=>"Tied to answers.launchpad.net/sparkle/+question/107876"}, "controller"=>"issues", "attachments"=>{"1"=>{"description"=>""}}} Redirected to http://tickets.atomiccocoa.com/issues/2 Completed in 127ms (DB: 24) | 302 Found [http://tickets.atomiccocoa.com/issues/2/edit]
… note that setting log levels to debug provide absolutely no further information in the failed case (in the successful case the logging is fantastic). So I'm guessing that the 403 is thrown almost instantaneously.
Seems to be very reproducible. Running 0.9.4.
About your application's environment Ruby version 1.8.7 (i686-linux) RubyGems version 1.3.5 Rack version 1.0 Rails version 2.3.5 Active Record version 2.3.5 Active Resource version 2.3.5 Action Mailer version 2.3.5 Active Support version 2.3.5 Edge Rails revision unknown Application root /home/carpenet/rails_apps/redmine Environment production Database adapter mysql Database schema version 20100221100219
Updated by Dave Carpeneto over 14 years ago
Just noticed the following differences in the parameters passed - it's not just the 'https://' bit in description, although that's all that's different WRT the input parameters:
BAD CASE¶
Parameters: {
"commit"=>"Submit",
"notes"=>"simple update",
"authenticity_token"=>"DZFgt6vQgKDp9WtCM0GXZcDqy+Rd8LJ+QYPmv1XnQxk=",
"issue"=>{
"start_date"=>"2010-05-05",
"estimated_hours"=>"",
"priority_id"=>"5",
"lock_version"=>"2",
"fixed_version_id"=>"",
"done_ratio"=>"0",
"assigned_to_id"=>"",
"subject"=>"Sparkle should work for app as well as SysPrefPane",
"tracker_id"=>"1",
"due_date"=>"",
"status_id"=>"1",
"description"=>"Tied to https://answers.launchpad.net/sparkle/+question/107876"
},
"attachments"=>{
"1"=>{
"description"=>""
}
}
}
GOOD CASE¶
Parameters: {
"commit"=>"Submit",
"notes"=>"simple update",
"action"=>"edit",
"authenticity_token"=>"DZFgt6vQgKDp9WtCM0GXZcDqy+Rd8LJ+QYPmv1XnQxk=",
"id"=>"2",
"issue"=>{
"start_date"=>"2010-05-05",
"estimated_hours"=>"",
"priority_id"=>"5",
"lock_version"=>"3",
"fixed_version_id"=>"",
"done_ratio"=>"0",
"assigned_to_id"=>"",
"subject"=>"Sparkle should work for app as well as SysPrefPane",
"tracker_id"=>"1",
"due_date"=>"",
"status_id"=>"1",
"description"=>"Tied to answers.launchpad.net/sparkle/+question/107876"
},
"controller"=>"issues",
"attachments"=>{
"1"=>{
"description"=>""
}
}
}
... so in addition to the different issue.description the bad case is missing the following attributes completely:
- id
- action
- controller
... so the POST data is missing stuff. Is this maybe a javascript issue ? I've tried this in Safari & Firefox - both exhibit the problem
Updated by Go MAEDA over 7 years ago
- Status changed from New to Closed
- Resolution set to Invalid
The HTTP request was probably blocked by mod_security or something. Redmine does not have codes to redirect to /403.shtml.