Ticket #620 (fixed bug)
Fluxbb doesn't give 404 http status code
- Created: 2012-02-12 22:09:56
- Reported by: Insert Name Here
- Assigned to: Oldskool
- Milestone: 1.4.9
- Component: code
- Priority: high
If someone visits a forum or a topic that doesn't exist (as shown here: https://fluxbb.org/forums/viewforum.php?id=39859132854), the page sends back a 200 status code instead of a 404 status code, which is the correct status code to use in this situation.
In addition, if a user who isn't authenticated tries to view a user profile (as shown here: http://fluxbb.org/forums/profile.php?id=54709), then a 200 error is also returned. A 404 or a 403 header would be more appropriate.
Reines 2012-02-12 23:09:37
- Milestone set to 1.4.9.
I seem to recall there being some discussion of this in the forums in the past, though can't for the life of me remember what it was or why this wasn't fixed...
Franz 2012-04-12 16:09:25
- Component set to code.
Franz 2012-04-13 13:10:10
This is quite complicated, as none of the headers seem to be the perfect match for what we are trying to express with the "Bad request..." message.
Oldskool 2012-04-13 21:35:02
- Owner set to Oldskool.
Oldskool 2012-04-13 21:36:33
@Franz: Maybe the message "bad request" is a bit misleading. The http status makes sense. The object you've requested can other not be found or is forbidden for you to view. Perhaps the "bad request" message needs to be replace with "not found" and "forbidden" messages.
Oldskool 2012-04-13 21:41:54
Just submitted a pull request for how I think it makes sense. Please review: https://github.com/fluxbb/fluxbb/pull/39
Franz 2012-04-13 22:00:08
Have you read the topic Quy linked above? It's a security issue (even though small).
Oldskool 2012-04-13 23:11:15
Hmm, not really getting the security point? Probably me though...
Oldskool 2012-04-25 20:48:36
Any more comments on the security issue? I think this ticket is the last one holding back a 1.4.9 release?
Franz 2012-04-25 22:09:30
Well, the problem is telling the user that something exists of which he or she shouldn't even know that it exists.
The only remaining problem I see (look at the pull request discussion) is whether 404 headers are correct for this ambiguous case.
Franz 2012-05-03 08:34:14
- Status changed from open to fixed.
Merged this finally. Thanks for the effort!
In misc.php there is still (at lines 24-25) :
if ($pun_config['o_rules'] == '0' || ($pun_user['is_guest'] && $pun_user['g_read_board'] == '0' && $pun_config['o_regs_allow'] == '0')) message($lang_common['Bad request']);
Oversight or not ?