Closed
Bug 634977
Opened 13 years ago
Closed 13 years ago
Internal Error 500 Generated for Unauthorized Requests
Categories
(developer.mozilla.org Graveyard :: Demo Studio / Dev Derby, defect)
developer.mozilla.org Graveyard
Demo Studio / Dev Derby
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mcoates, Unassigned)
References
()
Details
(Whiteboard: [infrasec:error][ws:low])
Issue A 500 internal error is generated when a user requests a url that they are not authorized to access. Steps to reproduce: 1. As an anonymous user browse to the following URL: https://developer-stage9.mozilla.org/en-US/demos/detail/test-demo/comment/23/delete/ 2. Compare this vs the following URL that is properly handled https://developer-stage9.mozilla.org/en-US/demos/detail/test-demo/comment/23/foo/ 3. The original /delete url is a valid url and would work if the user is authorized to modify that comment. Recommended Remediation Identify the error handling and update it to gracefully handle an unauthorized request to a valid URL.
Comment 1•13 years ago
|
||
This should fix the internal server error: https://github.com/fwenzel/mdn/commit/6e12fe8f247386f9f2bb727795b96d5edc0f771e There's a remaining problem that there's no templated 403 page for the site, so it just ends up with a generic "Access denied" message. I'll file a separate bug for that. (bug 635129)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Group: websites-security
Assignee | ||
Updated•12 years ago
|
Component: Demos → Demo Studio / Dev Derby
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•