Closed
Bug 533794
Opened 16 years ago
Closed 16 years ago
Suspicious action when trying to update bug via PUT
Categories
(Webtools Graveyard :: BzAPI, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: adrianocola, Assigned: gerv)
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.30 Safari/532.5
Build Identifier: Bzapi 0.3; bugzilla 3.4.4 (with applied patches from the bzapi wiki)
Tryed to make a update in a bug using the firefox addon RESTClient using te following parameters:
Method: PUT
URL: http://192.168.94.129:8080/bug/25?username=admin@admin.com&password=admin
Request Headers:
Content_Type text/xml
Accept text/xml
Request Body:
<bugs summary="new name"></bugs>
But received the error "Suspicious action".
Reproducible: Always
Actual Results:
Repsonse from API:
<opt>
<data code="32000" error="1" html_page="<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Suspicious Action</title>
<link rel="Top" href="http://192.168.93.129/bugzilla/">
<link rel="Saved&nbsp;Searches" title="My Bugs"
href="buglist.cgi?bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;emailassigned_to1=1&amp;emailreporter1=1&amp;emailtype1=exact&amp;email1=admin%40admin.com&amp;field0-0-0=bug_status&amp;type0-0-0=notequals&amp;value0-0-0=UNCONFIRMED&amp;field0-0-1=reporter&amp;type0-0-1=equals&amp;value0-0-1=admin%40admin.com">
<link rel="Administration" title="Parameters"
href="editparams.cgi"><link rel="Administration" title="Users"
href="editusers.cgi"><link rel="Administration" title="Products" href="editproducts.cgi"><link rel="Administration" title="Flag Types"
href="editflagtypes.cgi"><link rel="Administration" title="Groups"
href="editgroups.cgi"><link rel="Administration" title="Keywords"
href="editkeywords.cgi"><link rel="Administration" title="Whining"
href="editwhines.cgi"><link rel="Administration" title="Sanity Check"
href="sanitycheck.cgi">
<link href="skins/standard/global.css"
rel="stylesheet"
type="text/css">
<link href="skins/standard/global.css"
rel="stylesheet"
type="text/css">
<!--[if lte IE 7]>
<link href="skins/standard/IE-fixes.css"
rel="stylesheet"
type="text/css">
<![endif]-->
<link href="skins/standard/global.css"
rel="alternate stylesheet"
title="Classic"
type="text/css">
<link href="skins/standard/global.css"
rel="alternate stylesheet"
title="Classic"
type="text/css">
<!--[if lte IE 7]>
<link href="skins/standard/IE-fixes.css"
rel="alternate stylesheet"
title="Classic"
type="text/css">
<![endif]-->
<link href="skins/contrib/Dusk/global.css"
rel="stylesheet"
title="Dusk"
type="text/css">
<link href="skins/contrib/Dusk/global.css"
rel="stylesheet"
title="Dusk"
type="text/css">
<!--[if lte IE 7]>
<link href="skins/contrib/Dusk/IE-fixes.css"
rel="stylesheet"
title="Dusk"
type="text/css">
<![endif]-->
<link href="skins/custom/global.css" rel="stylesheet" type="text/css">
<link href="skins/custom/global.css" rel="stylesheet" type="text/css">
<!--[if lte IE 7]>
<link href="skins/custom/IE-fixes.css"
rel="stylesheet"
type="text/css">
<![endif]-->
<script src="js/yui/yahoo-dom-event.js" type="text/javascript"></script>
<script src="js/global.js" type="text/javascript"></script>
<script type="text/javascript">
<!--
YAHOO.namespace('bugzilla');
if (YAHOO.env.ua.gecko) {
YAHOO.util.Event._simpleRemove(window, "unload",
YAHOO.util.Event._unload);
}
var BUGZILLA = {
param: {
cookiepath: '\/'
}
};
// -->
</script>
<link rel="search" type="application/opensearchdescription+xml"
title="Bugzilla" href="./search_plugin.cgi">
<link rel="shortcut icon" href="images/favicon.ico" >
</head>
<body onload=""
class="192-168-93-129-bugzilla">
<div id="header">
<div id="banner">
</div>
<table border="0" cellspacing="0" cellpadding="0" id="titles">
<tr>
<td id="title">
<p>Bugzilla &ndash; Suspicious Action</p>
</td>
</tr>
</table>
<ul class="links">
<li><a href="./">Home</a></li>
<li><span class="separator">| </span><a href="enter_bug.cgi">New</a></li>
<li><span class="separator">| </span><a href="query.cgi">Search</a></li>
<li class="form">
<span class="separator">| </span>
<form action="buglist.cgi" method="get"
onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input class="txt" type="text" id="quicksearch_top" name="quicksearch">
<input class="btn" type="submit" value="Find" id="find_top"></form></li>
<li><span class="separator">| </span><a href="report.cgi">Reports</a></li>
<li></li>
<li><span class="separator">| </span><a href="userprefs.cgi">Preferences</a></li>
<li><span class="separator">| </span><a href="admin.cgi">Administration</a></li>
<li>
<span class="separator">| </span>
<a href="index.cgi?logout=1">Log&nbsp;out</a>
admin&#64;admin.com</li>
</ul>
</div>
<div id="bugzilla-body">
<div class="throw_error">
It looks like you didn't come from the right page.
One reason could be that you entered the URL in the address bar of your
web browser directly, which should be safe. Another reason could be that
you clicked on a URL which redirected you here <b>without your consent</b>.
<p>
Are you sure you want to commit these changes?
</p>
</div>
<form name="check" id="check" method="post" action="process_bug.cgi"><input type="hidden" name="confirm_product_change"
value="1">
<input type="hidden" name="POSTDATA"
value="">
<input type="hidden" name="longdesclength"
value="10000">
<input type="hidden" name="id"
value="25">
<input type="hidden" name="short_desc"
value="new name">
<input type="hidden" name="token" value="1260384131-051ff262127017179f44047758204a05">
<input type="submit" id="confirm" value="Yes, Confirm Changes">
</form>
<p><a href="index.cgi">No, throw away these changes</a> (you will be redirected
to the home page).</p>
</div>
<div id="footer">
<div class="intro"></div>
<ul id="useful-links">
<li id="links-actions"><ul class="links">
<li><a href="./">Home</a></li>
<li><span class="separator">| </span><a href="enter_bug.cgi">New</a></li>
<li><span class="separator">| </span><a href="query.cgi">Search</a></li>
<li class="form">
<span class="separator">| </span>
<form action="buglist.cgi" method="get"
onsubmit="if (this.quicksearch.value == '')
{ alert('Please enter one or more search terms first.');
return false; } return true;">
<input class="txt" type="text" id="quicksearch_bottom" name="quicksearch">
<input class="btn" type="submit" value="Find" id="find_bottom"></form></li>
<li><span class="separator">| </span><a href="report.cgi">Reports</a></li>
<li></li>
<li><span class="separator">| </span><a href="userprefs.cgi">Preferences</a></li>
<li><span class="separator">| </span><a href="admin.cgi">Administration</a></li>
<li>
<span class="separator">| </span>
<a href="index.cgi?logout=1">Log&nbsp;out</a>
admin&#64;admin.com</li>
</ul>
</li>
<li id="links-saved">
<ul class="links">
<li><a href="buglist.cgi?bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;emailassigned_to1=1&amp;emailreporter1=1&amp;emailtype1=exact&amp;email1=admin%40admin.com&amp;field0-0-0=bug_status&amp;type0-0-0=notequals&amp;value0-0-0=UNCONFIRMED&amp;field0-0-1=reporter&amp;type0-0-1=equals&amp;value0-0-1=admin%40admin.com">My Bugs</a></li>
</ul>
</li>
</ul>
<div class="outro"></div>
</div>
</body>
</html>" message="Unknown Bugzilla error. Title: 'Suspicious Action'" />
</opt>
Expected Results:
Bug updated on bugzilla
OS Version: Ubuntu 9.10
Output from bugzilla's checksetup.pl:
* This is Bugzilla 3.4.4 on perl 5.10.0
* Running on Linux 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009
Checking perl modules...
Checking for CGI.pm (v3.33) ok: found v3.48
Checking for Digest-SHA (any) ok: found v5.45
Checking for TimeDate (v2.21) ok: found v2.22
Checking for DateTime (v0.28) ok: found v0.51
Checking for DateTime-TimeZone (v0.71) ok: found v1.05
Checking for DBI (v1.41) ok: found v1.609
Checking for Template-Toolkit (v2.22) ok: found v2.22
Checking for Email-Send (v2.00) ok: found v2.198
Checking for Email-MIME (v1.861) ok: found v1.902
Checking for Email-MIME-Encodings (v1.313) ok: found v1.313
Checking for Email-MIME-Modifier (v1.442) ok: found v1.902
Checking for URI (any) ok: found v1.37
Checking available perl DBD modules...
Checking for DBD-Pg (v1.45) not found
Checking for DBD-mysql (v4.00) ok: found v4.011
Checking for DBD-Oracle (v1.19) not found
The following Perl modules are optional:
Checking for GD (v1.20) ok: found v2.39
Checking for Chart (v1.0) not found
Checking for Template-GD (any) not found
Checking for GDTextUtil (any) not found
Checking for GDGraph (any) not found
Checking for XML-Twig (any) ok: found v3.32
Checking for MIME-tools (v5.406) not found
Checking for libwww-perl (any) ok: found v5.829
Checking for PatchReader (v0.9.4) not found
Checking for PerlMagick (any) not found
Checking for perl-ldap (any) not found
Checking for Authen-SASL (any) not found
Checking for RadiusPerl (any) not found
Checking for SOAP-Lite (v0.710.06) ok: found v0.710.10
Checking for HTML-Parser (v3.40) ok: found v3.61
Checking for HTML-Scrubber (any) ok: found v0.08
Checking for Email-MIME-Attachment-Stripper (any) not found
Checking for Email-Reply (any) not found
Checking for TheSchwartz (any) not found
Checking for Daemon-Generic (any) not found
Checking for mod_perl (v1.999022) not found
***********************************************************************
* OPTIONAL MODULES *
***********************************************************************
* Certain Perl modules are not required by Bugzilla, but by *
* installing the latest version you gain access to additional *
* features. *
* *
* The optional modules you do not have installed are listed below, *
* with the name of the feature they enable. Below that table are the *
* commands to install each module. *
***********************************************************************
* MODULE NAME * ENABLES FEATURE(S) *
***********************************************************************
* Chart * New Charts, Old Charts *
* Template-GD * Graphical Reports *
* GDTextUtil * Graphical Reports *
* GDGraph * Graphical Reports *
* MIME-tools * Move Bugs Between Installations *
* PatchReader * Patch Viewer *
* PerlMagick * Optionally Convert BMP Attachments to PNGs *
* perl-ldap * LDAP Authentication *
* Authen-SASL * SMTP Authentication *
* RadiusPerl * RADIUS Authentication *
* Email-MIME-Attachment-Stripper * Inbound Email *
* Email-Reply * Inbound Email *
* TheSchwartz * Mail Queueing *
* Daemon-Generic * Mail Queueing *
* mod_perl * mod_perl *
***********************************************************************
COMMANDS TO INSTALL OPTIONAL MODULES:
Chart: /usr/bin/perl install-module.pl Chart::Base
Template-GD: /usr/bin/perl install-module.pl Template::Plugin::GD::Image
GDTextUtil: /usr/bin/perl install-module.pl GD::Text
GDGraph: /usr/bin/perl install-module.pl GD::Graph
MIME-tools: /usr/bin/perl install-module.pl MIME::Parser
PatchReader: /usr/bin/perl install-module.pl PatchReader
PerlMagick: /usr/bin/perl install-module.pl Image::Magick
perl-ldap: /usr/bin/perl install-module.pl Net::LDAP
Authen-SASL: /usr/bin/perl install-module.pl Authen::SASL
RadiusPerl: /usr/bin/perl install-module.pl Authen::Radius
Email-MIME-Attachment-Stripper: /usr/bin/perl install-module.pl Email::MIME::Attachment::Stripper
Email-Reply: /usr/bin/perl install-module.pl Email::Reply
TheSchwartz: /usr/bin/perl install-module.pl TheSchwartz
Daemon-Generic: /usr/bin/perl install-module.pl Daemon::Generic
mod_perl: /usr/bin/perl install-module.pl mod_perl2
To attempt an automatic install of every required and optional module
with one command, do:
/usr/bin/perl install-module.pl --all
Reading ./localconfig...
OPTIONAL NOTE: If you want to be able to use the 'difference between two
patches' feature of Bugzilla (which requires the PatchReader Perl module
as well), you should install patchutils from:
http://cyberelk.net/tim/patchutils/
Checking for DBD-mysql (v4.00) ok: found v4.011
Checking for MySQL (v4.1.2) ok: found v5.1.37-1ubuntu5
Removing existing compiled templates...
Precompiling templates...done.
Fixing file permissions...
|
Assignee | |
Comment 1•16 years ago
|
||
Sorry, this is not well documented. You need to submit a token for bug updates to work. You can get a token by requesting the bug using GET, and looking at the "token" member of the returned object.
This is to prevent cross-site request forgery.
Gerv
|
|
Reporter | |
Comment 2•16 years ago
|
||
Now worked!
I was doing my GETs without doing login, so I wasn't receiving the token!
Thank you!
|
|
Assignee | |
Comment 3•16 years ago
|
||
Adriano: super. :-)
Have you installed your own installation of the Bugzilla API to point at your Bugzilla? If so, any feedback you have on the installation instructions would be very useful.
Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 4•16 years ago
|
||
Installed the bzapi in a Windows and a Ubuntu environment. Both also with the Bugzilla server.
Ubuntu Installation:
To start the installation I followed the steps in the INSTALL example. Then tried to run bugzilla_api_server.pl and installed the packages it requested. To get it working, installed the folowing packages:
BZ::Client
Array::Diff
Slurp
Moose
Test::More
Catalyst::Controller::REST
Catalyst::Plugin::Log::Handler
Catalyst
Data::Walk
I had to install the optional package SOAP::LITE described in the bugzilla installation to use the Bzapi, that wasn't very well documented. (I'm not a bugzilla expert =P )
Then applied the the 2 patches described in the documentation
In the next comment I will describe the windows installation.
Resolution: INVALID → FIXED
|
||
Updated•16 years ago
|
Resolution: FIXED → INVALID
|
|
Assignee | |
Comment 5•16 years ago
|
||
Adriano: thanks, that's very helpful :-) I'm looking forward to the Windows information.
Gerv
|
|
Reporter | |
Comment 6•16 years ago
|
||
To install on windows I followed the same steps I did in the Ubuntu installation. Executed the server and installed the requested perl packages.
But I got a little issue with the log. Got the following messages when starting the server:
Can't locate Log/Handler/Output/Minlevel.pm in @INC (@INC contains: C:/bzapi/scr
ipt/../lib C:/Perl/site/lib C:/Perl/lib .) at (eval 436) line 3.
at C:/Perl/site/lib/Catalyst/Plugin/Log/Handler.pm line 83
Compilation failed in require at bugzilla_api_server.pl line 55.
Tried to install the package "Log:Handler:Output::Minlevel" but didn't found one. And the installation of Log::Handler::Output says "No missing packages to install". So I commented the following lines in the file Catalyst\Plugin\Log\Handler.pm:
$self->handler(Log::Handler->new(
#minlevel => 0,
#maxlevel => 7,
#%$config,
));
And now works, but don't log!
Thank you!
|
|
Assignee | |
Comment 7•16 years ago
|
||
Adriano: this URL:
http://cpantesters.org/distro/C/Catalyst-Plugin-Log-Handler.html
suggests to me that recent versions of that module are broken. Have you tried using an earlier one?
Of course, if you don't need logging, it's not so important. But it would be helpful to me to know if downgrading the module fixes the problem.
Gerv
|
||
Updated•7 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•