Actions
Bug #41060
closedFeature #40907: mgr/dashboard: REST API improvements
mgr/dashboard: REST API returns 500 when no Content-Type is specified
Status:
Resolved
Priority:
Normal
Assignee:
Category:
General - Back-end
Target version:
% Done:
0%
Source:
Tags:
Backport:
nautilus, octopus
Regression:
No
Severity:
2 - major
Reviewed:
Description
Right now, a request like this (without Content-Type: application/json
) results in 500 error + traceback:
# curl -s -k -X POST "https://172.20.0.2:11000/api/auth" -d "{\"username\":\"xxx\",\"password\":\"xxxx\"}"
{
"status":
"500 Internal Server Error",
"version":
"3.2.2",
"detail":
"The server encountered an unexpected condition which prevented it from fulfilling the request.",
"traceback":
"Traceback (most recent call last):\n File \"/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py\", line 656, in respond\n
response.body = self.handler()\n File \"/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py\", line 188, in __call__\n
self.body = self.oldhandler(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/cherrypy/_cptools.py\", line 221, in wrap\n
return self.newhandler(innerfunc, *args, **kwargs)\n File \"/ceph/src/pybind/mgr/dashboard/services/exception.py\", line 88, in dashboard_exception_handler\n
return handler(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py\", line 34, in __call__\n
return self.callable(*self.args, **self.kwargs)\n File \"/ceph/src/pybind/mgr/dashboard/controllers/__init__.py\", line 649, in inner\n
ret = func(*args, **kwargs)\n File \"/ceph/src/pybind/mgr/dashboard/controllers/__init__.py\", line 842, in wrapper\n
return func(*vpath, **params)\nTypeError: create() got an unexpected keyword argument '{\"username\":\"xxxx\",\"password\":\"xxxx\"}'\n"
}
There are 2 issues here:
- Trying to parse an unsupperted content type can result in an exploit,
- The proper response according to HTTP 1.1 should be
416 - Unsupported Media Type
(blame on client side) instead of500 - Internal Server Error
.
Updated by Sebastian Wagner over 4 years ago
https://github.com/rook/rook/issues/3873
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656, in respond
response.body = self.handler()
File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 188, in call
self.body = self.oldhandler(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/cherrypy/_cptools.py", line 221, in wrap
return self.newhandler(innerfunc, *args, **kwargs)
File "/usr/share/ceph/mgr/dashboard/services/exception.py", line 88, in dashboard_exception_handler
return handler(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 34, in call
return self.callable(*self.args, **self.kwargs)
File "/usr/share/ceph/mgr/dashboard/controllers/init.py", line 649, in inner
ret = func(*args, **kwargs)
File "/usr/share/ceph/mgr/dashboard/controllers/init.py", line 842, in wrapper
return func(*vpath, **params)
TypeError: create() got an unexpected keyword argument 'stay_signed_in'
Updated by anurag bandhu almost 4 years ago
- Assignee changed from Ernesto Puerta to anurag bandhu
Updated by anurag bandhu almost 4 years ago
Ernesto Puerta wrote:
Right now, a request like this (without
There are 2 issues here:Content-Type: application/json
) results in 500 error + traceback:
[...]
- Trying to parse an unsupperted content type can result in an exploit,
- The proper response according to HTTP 1.1 should be
415 - Unsupported Media Type
(blame on client side) instead of500 - Internal Server Error
.
Updated by anurag bandhu almost 4 years ago
- Status changed from New to Fix Under Review
- Pull request ID set to 34831
Updated by Alfonso MartÃnez over 3 years ago
- Status changed from Fix Under Review to In Progress
- Assignee changed from anurag bandhu to avan thakkar
Updated by Avan Thakkar over 3 years ago
- Status changed from In Progress to Pending Backport
Updated by Avan Thakkar over 3 years ago
- Copied to Backport #47303: nautilus: mgr/dashboard: REST API returns 500 when no Content-Type is specified added
Updated by Ernesto Puerta over 3 years ago
- Backport changed from nautilus to nautilus, octopus
Updated by Nathan Cutler over 3 years ago
- Copied to Backport #47349: octopus: mgr/dashboard: REST API returns 500 when no Content-Type is specified added
Updated by Lenz Grimmer over 3 years ago
- Status changed from Pending Backport to Resolved
- Target version set to v16.0.0
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 146 to General - Back-end
Actions