Project

General

Profile

Actions
Copy link

Bug #41060

closed

Feature #40907: mgr/dashboard: REST API improvements

mgr/dashboard: REST API returns 500 when no Content-Type is specified

Added by Ernesto Puerta over 4 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
avan thakkar
Category:
General - Back-end
Target version:
Ceph - v16.0.0
% Done:

0%

Source:
Tags:
Backport:
nautilus, octopus
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
34831
Crash signature (v1):
Crash signature (v2):

Description

Right now, a request like this (without Content-Type: application/json) results in 500 error + traceback:

# curl -s -k -X POST "https://172.20.0.2:11000/api/auth" -d "{\"username\":\"xxx\",\"password\":\"xxxx\"}" 
{
"status":
  "500 Internal Server Error",
"version":
  "3.2.2",
"detail":
  "The server encountered an unexpected condition which prevented it from fulfilling the request.",
"traceback":
  "Traceback (most recent call last):\n  File \"/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py\", line 656, in respond\n
    response.body = self.handler()\n  File \"/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py\", line 188, in __call__\n
    self.body = self.oldhandler(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/cherrypy/_cptools.py\", line 221, in wrap\n
    return self.newhandler(innerfunc, *args, **kwargs)\n  File \"/ceph/src/pybind/mgr/dashboard/services/exception.py\", line 88, in dashboard_exception_handler\n
    return handler(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py\", line 34, in __call__\n
    return self.callable(*self.args, **self.kwargs)\n  File \"/ceph/src/pybind/mgr/dashboard/controllers/__init__.py\", line 649, in inner\n
    ret = func(*args, **kwargs)\n  File \"/ceph/src/pybind/mgr/dashboard/controllers/__init__.py\", line 842, in wrapper\n
    return func(*vpath, **params)\nTypeError: create() got an unexpected keyword argument '{\"username\":\"xxxx\",\"password\":\"xxxx\"}'\n" 
}

There are 2 issues here:
  • Trying to parse an unsupperted content type can result in an exploit,
  • The proper response according to HTTP 1.1 should be 416 - Unsupported Media Type (blame on client side) instead of 500 - Internal Server Error.

Related issues 2 (0 open2 closed)

Copied to Dashboard - Backport #47303: nautilus: mgr/dashboard: REST API returns 500 when no Content-Type is specifiedResolvedAvan ThakkarActions
Copied to Dashboard - Backport #47349: octopus: mgr/dashboard: REST API returns 500 when no Content-Type is specifiedResolvedAvan ThakkarActions
Actions
Copy link
 #1

Updated by Ernesto Puerta over 4 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Sebastian Wagner over 4 years ago

https://github.com/rook/rook/issues/3873

Traceback (most recent call last):
 File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656, in respond
     response.body = self.handler()
 File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 188, in call
     self.body = self.oldhandler(*args, **kwargs)
 File "/usr/lib/python2.7/site-packages/cherrypy/_cptools.py", line 221, in wrap
     return self.newhandler(innerfunc, *args, **kwargs)
 File "/usr/share/ceph/mgr/dashboard/services/exception.py", line 88, in dashboard_exception_handler
     return handler(*args, **kwargs)
 File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 34, in call
     return self.callable(*self.args, **self.kwargs)
 File "/usr/share/ceph/mgr/dashboard/controllers/init.py", line 649, in inner
     ret = func(*args, **kwargs)
 File "/usr/share/ceph/mgr/dashboard/controllers/init.py", line 842, in wrapper
     return func(*vpath, **params)
TypeError: create() got an unexpected keyword argument 'stay_signed_in'
Actions
Copy link
 #3

Updated by Sebastian Wagner over 4 years ago

  • Status changed from New to 12
Actions
Copy link
 #4

Updated by Sebastian Wagner over 4 years ago

  • Backport set to nautilus
Actions
Copy link
 #5

Updated by Ernesto Puerta over 4 years ago

  • Parent task set to #40907
Actions
Copy link
 #6

Updated by Patrick Donnelly over 4 years ago

  • Status changed from 12 to New
Actions
Copy link
 #7

Updated by anurag bandhu almost 4 years ago

  • Assignee changed from Ernesto Puerta to anurag bandhu
Actions
Copy link
 #8

Updated by anurag bandhu almost 4 years ago

Ernesto Puerta wrote:

Right now, a request like this (without Content-Type: application/json) results in 500 error + traceback:
[...]

There are 2 issues here:
  • Trying to parse an unsupperted content type can result in an exploit,
  • The proper response according to HTTP 1.1 should be 415 - Unsupported Media Type (blame on client side) instead of 500 - Internal Server Error.
Actions
Copy link
 #9

Updated by anurag bandhu almost 4 years ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 34831
Actions
Copy link
 #10

Updated by Alfonso Martínez over 3 years ago

  • Status changed from Fix Under Review to In Progress
  • Assignee changed from anurag bandhu to avan thakkar
Actions
Copy link
 #11

Updated by Avan Thakkar over 3 years ago

  • Status changed from In Progress to Pending Backport
Actions
Copy link
 #12

Updated by Avan Thakkar over 3 years ago

  • Copied to Backport #47303: nautilus: mgr/dashboard: REST API returns 500 when no Content-Type is specified added
Actions
Copy link
 #13

Updated by Ernesto Puerta over 3 years ago

  • Backport changed from nautilus to nautilus, octopus
Actions
Copy link
 #14

Updated by Nathan Cutler over 3 years ago

  • Copied to Backport #47349: octopus: mgr/dashboard: REST API returns 500 when no Content-Type is specified added
Actions
Copy link
 #15

Updated by Lenz Grimmer over 3 years ago

  • Status changed from Pending Backport to Resolved
  • Target version set to v16.0.0
Actions
Copy link
 #16

Updated by Ernesto Puerta about 3 years ago

  • Project changed from mgr to Dashboard
  • Category changed from 146 to General - Back-end
Actions
Copy link

Also available in: Atom PDF