Roundup Tracker - Issues

Issue 2551360

classification
Processing leftover post data when using GET request
Type: behavior Severity: normal
Components: Web interface Versions:
process
Status: new
:
: : rouilj, schlatterbeck
Priority: :

Created on 2024-07-17 23:27 by rouilj, last changed 2024-07-17 23:36 by rouilj.

Messages
msg8114 Author: [hidden] (rouilj) Date: 2024-07-17 23:27
Using the following CURL command:

   curl -vv -n -p -X GET --header "Content-Type: application/xml"   \
         --header "Accept: application/json" \
         --header 'If-Match: "3cda6983cac9eb51266b6e418141c53d"' \
         --data-urlencode '@op=add' \
         --header "Origin: https://example.net" \
     "https://example.net/demo/rest/data/keyword?name=sv&@verbose=2"

I see the following logged:

443544 127.0.0.1 - - [17/Jul/2024 23:12:04] "GET /demo/rest/data/keyword?
name=sv&@verbose=2 HTTP/1.1" 200 -
443544 127.0.0.1 - - [17/Jul/2024 23:12:04] code 400, message Bad request syntax 
('@op=add')
443544 127.0.0.1 - - [17/Jul/2024 23:12:04] "@op=add" 400 -

So it looks like curl is sending the data @op=add and a GET request isn't draining the
input. So Roundup (with roundup-server behind a proxy) consumes the initial GET 
header line, routes using it. Then when BaseRequestHandler.handle gets
called again, it gets the left over content on the socket.

What should happen here? I don't think it is a security issue as the only
value recognized by handle() at that point is an HTTP header.

AFAICT it just reports an error that might be useful to find poorly behaving
rest clients.

So maybe nothing has to happen?

Thoughts?

(I generated the curl command by mucking with a PATCH command created for
a different purpose and didn't feel like getting rid of the other settings. So sort
of a manual fuzzer.)
msg8115 Author: [hidden] (rouilj) Date: 2024-07-17 23:36
reference: https://www.baeldung.com/cs/http-get-with-body

maybe it would be better to detect a body for the get request and throw a 400
error in this case.
History
Date User Action Args
2024-07-17 23:36:18rouiljsetmessages: + msg8115
2024-07-17 23:27:55rouiljcreate