Message8192
When looking at the REST documentation the small section 'Preventing CSRF Attacks' only lists the X-REQUESTED-WITH header as required. But it seems the Origin header is also mandatory, at least on updates. The config option "csrf_enforce_header_origin" has no influence on this.
When recently upgrading a tracker at a customer, one client can no longer run their scripts (which do an update) because they get "Required Header Missing". Unfortunately it doesn't even tell *which* header is missing.
Two things should be done:
- Mention all required and optional headers in the REST-API CSRF section, in particular the headers that are needed even if turned off in config.ini
- Maybe mention *which* header is missing in the error message returned to the user. I'm not sure if this would constitute a security issue but I think not. |
|
| Date |
User |
Action |
Args |
| 2024-11-25 14:08:49 | schlatterbeck | set | recipients:
+ schlatterbeck, rouilj |
| 2024-11-25 14:08:49 | schlatterbeck | set | messageid: <1732543729.53.0.967849195543.issue2551372@roundup.psfhosted.org> |
| 2024-11-25 14:08:49 | schlatterbeck | link | issue2551372 messages |
| 2024-11-25 14:08:49 | schlatterbeck | create | |
|