Patch #25653

Fix NoMethodError on HEAD requests to AccountController#register

Added by Holger Just 4 days ago. Updated 3 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:3.2.7

Description

The attached patch fixes a NoMethodError when attempting to run a HEAD request against AccountController#register.

The cause of the bug is that HEAD requests did not trigger the check for request.get?.

0001-Render-register-page-on-all-non-POST-requests-to-acc.patch Magnifier (935 Bytes) Holger Just, 2017-04-19 19:06

0002-Only-perform-login-action-on-explicit-POST.patch Magnifier (1004 Bytes) Holger Just, 2017-04-20 13:52

History

#1 Updated by Go MAEDA 3 days ago

  • Target version set to 3.2.7

I cannot reproduce the problem but I think that merging this fix is very reasonable because lines after source:tags/3.3.3/app/controllers/account_controller.rb@16536#L130 should be executed only when request is POST.

$ curl -v --head http://localhost:3000/account/register
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 3000 (#0)
> HEAD /account/register HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK

#2 Updated by Holger Just 3 days ago

Hmmm, we had indeed only seen the error on Redmine 3.3, more specifically in http://www.redmine.org/projects/redmine/repository/revisions/16536/entry/tags/3.3.3/app/controllers/account_controller.rb#L148.

In current trunk, this code is not a bit different so that the exception doesn't occur anymore. However, it would still be desirable to not perform the registration from a HEAD request, as Go Maeda wrote above.

Now that I had a look around, the same issue is present in AccountController#login. There, it's again not an exception on HEAD but Redmine still attempts a login from the supplied URL parameters which is not desirable.

#3 Updated by Holger Just 3 days ago

The attached patch also fixed the additional issue described in #25653#note-2

Also available in: Atom PDF