Message7844
Hi Ralf:
In message <1696851823.07.0.447405379261.issue2551294@roundup.psfhosted.org>,
Ralf Schlatterbeck writes:
>New submission from Ralf Schlatterbeck:
>
>I was just bitten hard by the new behavior that not all header checks for REST can be turned off in the config.ini: I'm always getting::
>
> { "error": { "status": 400, "msg": "Required Header Missing" } }
Which headers are you sending? IIRC there are to places with that
output for RES. Origin and X-requested-With. The latter can be
disabled. Do you have x-requested-with turned off?
Can you tell if the client is sending the Origin header?
>Unfortunately I've not found anything about this in any of the upgrading docs.
Yeah, we don't have a lot of REST users, so....
Which version did you upgrade from when it was working?
>Looks like the 'Origin' header check is hard-coded in roundup/cgi/client.py
>for the API, in handle_rest we have::
>
> if not self.is_origin_header_ok(api=True):
> if 'HTTP_ORIGIN' not in self.env:
> msg = self._("Required Header Missing")
> else:
> msg = self._("Client is not allowed to use Rest Interface.")
>
> # Use code 400. Codes 401 and 403 imply that authentication
> # is needed or authenticated person is not authorized.
> # Preflight doesn't do authentication.
> output = s2b(
> '{ "error": { "status": 400, "msg": "%s" } }' % msg)
> self.reject_request(output,
> message_type="application/json",
> status=400)
> return
>
>So this does not use the csrf_enforce_header_origin in the config.
>>From the comments it looks like this might be intended to only be
>hit on a preflight check. But it is hit any time a POST is issued to
>the tracker.
That sounds right. Post's do a pre-flight IIRC and they should always
send an Origin.
From the docs on preflight:
Also these requests bypass CSRF checks except for the Origin header
check which is always run for preflight requests.
>Even when authenticated. I'm using Kerberos Authentication behind an
>apache2 webserver.
I think a csrf request would get your session tokens.
>Is this intentional?
IIRC forcing origin is intentional.
>I can see why one would enforce at least one header with REST but
>unfortunately I have a very important legacy app that I have no
>influence on.
You believe it's not sending an Origin? IIRC there is a different
error if the Origin doesn't match the Roundup server. But
allowed_api_origins might be of use if you think that's the issue.
Sorry I don't have a good answer for you. |
|
Date |
User |
Action |
Args |
2023-10-09 15:05:31 | rouilj | set | recipients:
+ rouilj, schlatterbeck, Heiko |
2023-10-09 15:05:31 | rouilj | link | issue2551294 messages |
2023-10-09 15:05:31 | rouilj | create | |
|