Roundup Tracker - Issues

Message8114

Author rouilj
Recipients rouilj, schlatterbeck
Date 2024-07-17.23:27:55
Message-id <1721258875.63.0.698582619424.issue2551360@roundup.psfhosted.org>
In-reply-to
Using the following CURL command:

   curl -vv -n -p -X GET --header "Content-Type: application/xml"   \
         --header "Accept: application/json" \
         --header 'If-Match: "3cda6983cac9eb51266b6e418141c53d"' \
         --data-urlencode '@op=add' \
         --header "Origin: https://example.net" \
     "https://example.net/demo/rest/data/keyword?name=sv&@verbose=2"

I see the following logged:

443544 127.0.0.1 - - [17/Jul/2024 23:12:04] "GET /demo/rest/data/keyword?
name=sv&@verbose=2 HTTP/1.1" 200 -
443544 127.0.0.1 - - [17/Jul/2024 23:12:04] code 400, message Bad request syntax 
('@op=add')
443544 127.0.0.1 - - [17/Jul/2024 23:12:04] "@op=add" 400 -

So it looks like curl is sending the data @op=add and a GET request isn't draining the
input. So Roundup (with roundup-server behind a proxy) consumes the initial GET 
header line, routes using it. Then when BaseRequestHandler.handle gets
called again, it gets the left over content on the socket.

What should happen here? I don't think it is a security issue as the only
value recognized by handle() at that point is an HTTP header.

AFAICT it just reports an error that might be useful to find poorly behaving
rest clients.

So maybe nothing has to happen?

Thoughts?

(I generated the curl command by mucking with a PATCH command created for
a different purpose and didn't feel like getting rid of the other settings. So sort
of a manual fuzzer.)
History
Date User Action Args
2024-07-17 23:27:55rouiljsetrecipients: + rouilj, schlatterbeck
2024-07-17 23:27:55rouiljsetmessageid: <1721258875.63.0.698582619424.issue2551360@roundup.psfhosted.org>
2024-07-17 23:27:55rouiljlinkissue2551360 messages
2024-07-17 23:27:55rouiljcreate