Patch #25653

Fix NoMethodError on HEAD requests to AccountController#register

Added by Holger Just 5 months ago. Updated 4 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Accounts / authentication
Target version:3.2.7

Description

The attached patch fixes a NoMethodError when attempting to run a HEAD request against AccountController#register.

The cause of the bug is that HEAD requests did not trigger the check for request.get?.

0001-Render-register-page-on-all-non-POST-requests-to-acc.patch Magnifier (935 Bytes) Holger Just, 2017-04-19 19:06

0002-Only-perform-login-action-on-explicit-POST.patch Magnifier (1004 Bytes) Holger Just, 2017-04-20 13:52

Associated revisions

Revision 16554
Added by Jean-Philippe Lang 4 months ago

Only perform login action on explicit POST (#25653).

Patch by Holger Just.

Revision 16555
Added by Jean-Philippe Lang 4 months ago

Render register page on all non-POST requests to account#register (#25653).

Patch by Holger Just.

History

#1 Updated by Go MAEDA 5 months ago

  • Target version set to 3.2.7

I cannot reproduce the problem but I think that merging this fix is very reasonable because lines after source:tags/3.3.3/app/controllers/account_controller.rb@16536#L130 should be executed only when request is POST.

$ curl -v --head http://localhost:3000/account/register
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 3000 (#0)
> HEAD /account/register HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK

#2 Updated by Holger Just 5 months ago

Hmmm, we had indeed only seen the error on Redmine 3.3, more specifically in http://www.redmine.org/projects/redmine/repository/revisions/16536/entry/tags/3.3.3/app/controllers/account_controller.rb#L148.

In current trunk, this code is now a bit different so that the exception doesn't occur anymore. However, it would still be desirable to not perform the registration from a HEAD request, as Go Maeda wrote above.

Now that I had a look around, the same issue is present in AccountController#login. There, it's again not an exception on HEAD but Redmine still attempts a login from the supplied URL parameters which is not desirable.

#3 Updated by Holger Just 5 months ago

The attached patch also fixed the additional issue described in #25653#note-2

#4 Updated by Jean-Philippe Lang 4 months ago

  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang

Patches committed, thanks.

#5 Updated by Jean-Philippe Lang 4 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF