Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 8265:35beff316883
fix(api): issue2551384. Verify REST authorization earlier
To reduce the ability of bad actors to spam (DOS) the REST endpoint
with bad data and generate logs meant for debugging, modify the flow
in client.py's REST handler to verify authorization earlier.
If the anonymous user is allowed to use REST, this won't make a
difference for a DOS attempt. The templates don't enable REST for the
anonymous user by default. Most admins don't change this.
The validation order for REST requests has been changed.
CORS identfied an handled
User authorization to use REST (return 403 on failure)
REST request validated (Origin header valid etc.) (return 400 for
bad request)
Incorrectly formatted CORS preflight requests (e.g. missing Origin
header) that are not recogized as a CORS request can now return HTTP
status 403 as well as status 400 (when anonymous is allowed
access). Note all CORS preflights are sent without authentication so
appear as anonymous requests.
The tests were updated to compensate, but it is not obvious to me from
specs what the proper evaulation order/return codes should be for this
case. Both 403/400 are failures and cause CORS to fail so there should
be no difference but...
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 09 Jan 2025 09:30:08 -0500 |
| parents | 2a7c3eeaf167 |
| children | b757cf509480 |
comparison
equal
deleted
inserted
replaced
| 8264:09e8d1a4c796 | 8265:35beff316883 |
|---|---|
| 221 | 221 |
| 222 If you have enabled the xmlrpc endpoint, you should install | 222 If you have enabled the xmlrpc endpoint, you should install |
| 223 defusedxml. | 223 defusedxml. |
| 224 | 224 |
| 225 .. _defusedxml: https://pypi.org/project/defusedxml/ | 225 .. _defusedxml: https://pypi.org/project/defusedxml/ |
| 226 | |
| 227 Change in REST response for invalid CORS requests (info) | |
| 228 -------------------------------------------------------- | |
| 229 | |
| 230 CORS_ preflight requests that are missing required headers can | |
| 231 now result in either a 403 or 400 error code. If you permit | |
| 232 anonymous users to access the REST interface, a 400 error may | |
| 233 still occur. Previously, only a 400 error was given. This change | |
| 234 is not expected to create issues since the client will recognize | |
| 235 both codes it as an error response, and the CORS request will | |
| 236 still fail. | |
| 226 | 237 |
| 227 More secure session cookie handling (info) | 238 More secure session cookie handling (info) |
| 228 ------------------------------------------ | 239 ------------------------------------------ |
| 229 | 240 |
| 230 This affects you if you are accessing a tracker via https. The name | 241 This affects you if you are accessing a tracker via https. The name |