Defect #37030
closedRequests fail with "Can't verify CSRF token authenticity" in mail handler
0%
Description
Environment: Redmine version 5.0.0.stable.21535 Ruby version 2.5.5-p157 (2019-03-15) [x86_64-linux-gnu] Rails version 6.1.5 Environment production Database adapter Mysql2 Mailer queue ActiveJob::QueueAdapters::AsyncAdapter Mailer delivery sendmail Redmine settings: Redmine theme Default SCM: Subversion 1.10.4 Git 2.33.1 Filesystem Redmine plugins: redmine_agile 1.6.4 redmine_checklists 3.1.21 redmine_theme_changer 0.5.0
After updating our Redmine to 5.0.0 incoming mails do not work because rdm-mailhandler.rb Requests appear in production.log with the error
I, [2022-04-25T14:58:39.595827 #24841] INFO -- : [apache-342-1650891519593965] Started POST "/mail_handler" for 2a01:4f8:1c1c:f222::1 at 2022-04-25 14:58:39 +0200 I, [2022-04-25T14:58:39.596608 #24841] INFO -- : [apache-342-1650891519593965] Processing by MailHandlerController#index as HTML I, [2022-04-25T14:58:39.596815 #24841] INFO -- : [apache-342-1650891519593965] Parameters: {"key"=>"<removed for security reasons>", "email"=>"<removed for privacy reasons>", "allow_override"=>"project,tracker,category,assigned_to,priority,start_date,due_date", "unknown_user"=>nil, "default_group"=>nil, "no_account_notice"=>nil, "no_notification"=>nil, "no_permission_check"=>nil, "project_from_subaddress"=>nil, "issue"=>{"tracker"=>"Inbox"}} W, [2022-04-25T14:58:39.596952 #24841] WARN -- : [apache-342-1650891519593965] Can't verify CSRF token authenticity. I, [2022-04-25T14:58:39.597158 #24841] INFO -- : [apache-342-1650891519593965] Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms | Allocations: 118) F, [2022-04-25T14:58:39.598093 #24841] FATAL -- : [apache-342-1650891519593965] [apache-342-1650891519593965] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken): [apache-342-1650891519593965] [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal/request_forgery_protection.rb:243:in `handle_unverified_request' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal/request_forgery_protection.rb:238:in `verify_authenticity_token' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/callbacks.rb:427:in `block in make_lambda' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting' [apache-342-1650891519593965] actionpack (6.1.5) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/callbacks.rb:199:in `block in halting' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/callbacks.rb:512:in `block in invoke_before' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/callbacks.rb:512:in `each' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/callbacks.rb:512:in `invoke_before' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/callbacks.rb:105:in `run_callbacks' [apache-342-1650891519593965] actionpack (6.1.5) lib/abstract_controller/callbacks.rb:41:in `process_action' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal/rescue.rb:22:in `process_action' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/notifications.rb:203:in `block in instrument' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/notifications/instrumenter.rb:24:in `instrument' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/notifications.rb:203:in `instrument' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal/instrumentation.rb:33:in `process_action' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal/params_wrapper.rb:249:in `process_action' [apache-342-1650891519593965] activerecord (6.1.5) lib/active_record/railties/controller_runtime.rb:27:in `process_action' [apache-342-1650891519593965] actionpack (6.1.5) lib/abstract_controller/base.rb:165:in `process' [apache-342-1650891519593965] actionview (6.1.5) lib/action_view/rendering.rb:39:in `process' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal.rb:190:in `dispatch' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_controller/metal.rb:254:in `dispatch' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/routing/route_set.rb:50:in `dispatch' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/routing/route_set.rb:33:in `serve' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/journey/router.rb:50:in `block in serve' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/journey/router.rb:32:in `each' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/journey/router.rb:32:in `serve' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/routing/route_set.rb:842:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/etag.rb:27:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/conditional_get.rb:40:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/head.rb:12:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/http/permissions_policy.rb:22:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/http/content_security_policy.rb:19:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context' [apache-342-1650891519593965] rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/cookies.rb:689:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/callbacks.rb:98:in `run_callbacks' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/callbacks.rb:26:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call' [apache-342-1650891519593965] railties (6.1.5) lib/rails/rack/logger.rb:37:in `call_app' [apache-342-1650891519593965] railties (6.1.5) lib/rails/rack/logger.rb:26:in `block in call' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/tagged_logging.rb:99:in `block in tagged' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/tagged_logging.rb:37:in `tagged' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/tagged_logging.rb:99:in `tagged' [apache-342-1650891519593965] railties (6.1.5) lib/rails/rack/logger.rb:26:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/remote_ip.rb:81:in `call' [apache-342-1650891519593965] request_store (1.5.1) lib/request_store/middleware.rb:19:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/request_id.rb:26:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/method_override.rb:24:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/runtime.rb:22:in `call' [apache-342-1650891519593965] activesupport (6.1.5) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/executor.rb:14:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/static.rb:24:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/sendfile.rb:110:in `call' [apache-342-1650891519593965] rack (2.2.3) lib/rack/content_length.rb:17:in `call' [apache-342-1650891519593965] actionpack (6.1.5) lib/action_dispatch/middleware/host_authorization.rb:142:in `call' [apache-342-1650891519593965] railties (6.1.5) lib/rails/engine.rb:539:in `call' [apache-342-1650891519593965] /usr/lib/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:107:in `process_request' [apache-342-1650891519593965] /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:157:in `accept_and_process_next_request' [apache-342-1650891519593965] /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:110:in `main_loop' [apache-342-1650891519593965] /usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler.rb:419:in `block (3 levels) in start_threads' [apache-342-1650891519593965] /usr/lib/ruby/vendor_ruby/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception'
Since https://www.redmine.org/projects/redmine/wiki/redminereceivingemails does not mention anything about this and neither does the script I assume the script was not updated when this requirement was added?
Files
Related issues
Updated by Matthias Hörmann over 2 years ago
In addition to this rdm-mailhandler.rb also does not seem to fail with a proper exit code in this situation.
Updated by Matthias Hörmann over 2 years ago
It actually fails with exit code 77, there must be another reason then why it wasn't logged in my sieve.log unlike past errors.
Updated by Matthias Hörmann over 2 years ago
As a temporary fix I added
def verify_authenticity_token end def handle_unverified_request end
to MailHandlerController (in app/controllers/mail_handler_controller.rb
This seems to work but I am not sure about the exact implications (I know neither Ruby nor Rails nor the Redmine codebase nor whether CSRF is actually needed in this context).
Updated by Go MAEDA over 2 years ago
- File 37030.patch 37030.patch added
I think the attached patch fixes the issue.
Updated by Marius BĂLTEANU over 2 years ago
- Status changed from New to Resolved
- Resolution set to Fixed
Fix committed, thanks!
Updated by Go MAEDA over 2 years ago
- Related to Patch #36317: Set default protect from forgery true added
Updated by Marius BĂLTEANU over 2 years ago
- Subject changed from rdm-mailhandler.rb Requests fail with "Can't verify CSRF token authenticity" to Requests fail with "Can't verify CSRF token authenticity" in mail handler
- Status changed from Resolved to Closed
Updated by Aleksandar Pavic about 2 years ago
Same problem is with issue_relations_controller.rb I have fixed it by adding
skip_before_action :verify_authenticity_token
However my Redmine was: 4.1.0