Project

General

Profile

Actions

Patch #25653

closed

Fix NoMethodError on HEAD requests to AccountController#register

Added by Holger Just over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

The attached patch fixes a NoMethodError when attempting to run a HEAD request against AccountController#register.

The cause of the bug is that HEAD requests did not trigger the check for request.get?.


Files

Actions #1

Updated by Go MAEDA over 7 years ago

  • Target version set to 3.2.7

I cannot reproduce the problem but I think that merging this fix is very reasonable because lines after source:tags/3.3.3/app/controllers/account_controller.rb@16536#L130 should be executed only when request is POST.

$ curl -v --head http://localhost:3000/account/register
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 3000 (#0)
> HEAD /account/register HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
Actions #2

Updated by Holger Just over 7 years ago

Hmmm, we had indeed only seen the error on Redmine 3.3, more specifically in http://www.redmine.org/projects/redmine/repository/revisions/16536/entry/tags/3.3.3/app/controllers/account_controller.rb#L148.

In current trunk, this code is now a bit different so that the exception doesn't occur anymore. However, it would still be desirable to not perform the registration from a HEAD request, as Go Maeda wrote above.

Now that I had a look around, the same issue is present in AccountController#login. There, it's again not an exception on HEAD but Redmine still attempts a login from the supplied URL parameters which is not desirable.

Actions #3

Updated by Holger Just over 7 years ago

The attached patch also fixed the additional issue described in #25653#note-2

Actions #4

Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang

Patches committed, thanks.

Actions #5

Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF