Project

General

Profile

Actions
Copy link

Patch #39894

closed

Explicitly render a 404 on non-JS requests to watchers#new

Added by Holger Just almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marius BĂLTEANU
Category:
Code cleanup/refactoring
Target version:
5.0.8
Start date:
Due date:
% Done:

0%

Estimated time:

Description

The "Add watcher" button in the sidebar of issues is a javascript-ified link. Sometimes, crawlers hit this raw link and request non-JS data.

This currently results in the rendering JS template. However, the response is eventually blocked by ActionController::RequestForgeryProtection#verify_same_origin_request which is run as an after_action. This method then throws an ActionController::InvalidCrossOriginRequest error and denies sending the rendered data to the client to avoid sending an unauthorized cross-origin response.

This exception is then later handled by the ActionDispatch::ExceptionWrapper middleware which in turn send an empty 406 response.

The attached patch fixes this behavior by explicitly sending a 404 response when the (default) html format was requested for the watchers#new action. This hopefully keeps strange crawlers from further crawling this link...

Files

0001-Explicitly-render-a-404-on-non-JS-requests-to-watche.patch (963 Bytes) 0001-Explicitly-render-a-404-on-non-JS-requests-to-watche.patch Holger Just, 2023-12-20 18:01

Related issues

Related to Redmine - Patch #39999: Explicitly render a 404 on non-JS requests to messages#quoteClosedMarius BĂLTEANU

Actions
Has duplicate Redmine - Defect #30489: Internal server error when click middle mouse button link add watcherClosedMarius BĂLTEANU

Actions
Actions
Copy link

Also available in: Atom PDF