Internal Error 500 Generated for Unauthorized Requests

VERIFIED FIXED

Status

developer.mozilla.org
Demo Studio / Dev Derby
--
major
VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

Details

(Whiteboard: [infrasec:error][ws:low], URL)

Issue

A 500 internal error is generated when a user requests a url that they are not authorized to access.

Steps to reproduce:
1. As an anonymous user browse to the following URL:
https://developer-stage9.mozilla.org/en-US/demos/detail/test-demo/comment/23/delete/
2. Compare this vs the following URL that is properly handled
https://developer-stage9.mozilla.org/en-US/demos/detail/test-demo/comment/23/foo/
3. The original /delete url is a valid url and would work if the user is authorized to modify that comment.

Recommended Remediation
Identify the error handling and update it to gracefully handle an unauthorized request to a valid URL.
This should fix the internal server error:
https://github.com/fwenzel/mdn/commit/6e12fe8f247386f9f2bb727795b96d5edc0f771e

There's a remaining problem that there's no templated 403 page for the site, so it just ends up with a generic "Access denied" message. I'll file a separate bug for that. (bug 635129)
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: websites-security
(Assignee)

Updated

6 years ago
Component: Demos → Demo Studio / Dev Derby
Product: Mozilla Developer Network → Mozilla Developer Network
You need to log in before you can comment on or make changes to this bug.