Fork me on GitHub
Subscribe 7

Ticket #620 (fixed bug)

Fluxbb doesn't give 404 http status code

  • Created: 2012-02-12 22:09:56
  • Reported by: Insert Name Here
  • Assigned to: Oldskool
  • Milestone: 1.4.9
  • Component: code
  • Priority: high

If someone visits a forum or a topic that doesn't exist (as shown here: https://fluxbb.org/forums/viewforum.php?id=39859132854), the page sends back a 200 status code instead of a 404 status code, which is the correct status code to use in this situation.

In addition, if a user who isn't authenticated tries to view a user profile (as shown here: http://fluxbb.org/forums/profile.php?id=54709), then a 200 error is also returned. A 404 or a 403 header would be more appropriate.

History

Insert Name Here 2012-02-12 22:13:20

  • Description changed. (Diff)

Insert Name Here 2012-02-12 22:19:00

  • Description changed. (Diff)

Reines 2012-02-12 23:09:37

  • Milestone set to 1.4.9.

I seem to recall there being some discussion of this in the forums in the past, though can't for the life of me remember what it was or why this wasn't fixed...

Franz 2012-04-12 16:09:25

  • Component set to code.

Franz 2012-04-13 13:10:10

This is quite complicated, as none of the headers seem to be the perfect match for what we are trying to express with the "Bad request..." message.

Oldskool 2012-04-13 21:35:02

  • Owner set to Oldskool.

Oldskool 2012-04-13 21:36:33

@Franz: Maybe the message "bad request" is a bit misleading. The http status makes sense. The object you've requested can other not be found or is forbidden for you to view. Perhaps the "bad request" message needs to be replace with "not found" and "forbidden" messages.

Oldskool 2012-04-13 21:38:30

Commit 543eaa0 to fluxbb fluxbb-1.4

#620 - Added http status codes to various events

Oldskool 2012-04-13 21:41:54

Just submitted a pull request for how I think it makes sense. Please review: https://github.com/fluxbb/fluxbb/pull/39

Franz 2012-04-13 22:00:08

Have you read the topic Quy linked above? It's a security issue (even though small).

Oldskool 2012-04-13 23:11:15

Hmm, not really getting the security point? Probably me though...

Oldskool 2012-04-25 20:48:36

Any more comments on the security issue? I think this ticket is the last one holding back a 1.4.9 release? smile

Franz 2012-04-25 22:09:30

Well, the problem is telling the user that something exists of which he or she shouldn't even know that it exists.

The only remaining problem I see (look at the pull request discussion) is whether 404 headers are correct for this ambiguous case.

Franz 2012-05-03 08:33:15

Commit 062fce1 to fluxbb fluxbb-1.4

Merge pull request #39 from oldskool/fluxbb-1.4

#620: Add HTTP status codes wherever it makes sense.

Franz 2012-05-03 08:34:14

  • Status changed from open to fixed.

Merged this finally. Thanks for the effort!

Wan 2012-05-08 09:42:28

In misc.php there is still (at lines 24-25) :

	if ($pun_config['o_rules'] == '0' || ($pun_user['is_guest'] && $pun_user['g_read_board'] == '0' && $pun_config['o_regs_allow'] == '0'))
		message($lang_common['Bad request']);

Oversight or not ?