[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Dec 1 01:18:32 CET 2021 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420

David Cook <dcook at prosentient.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Failed QA

--- Comment #12 from David Cook <dcook at prosentient.com.au> ---
Thanks, Martin. I really appreciate your comments.

Since I authored Bug 26048, it probably does make sense for me to make more of
an effort here...

I found something interesting with the status quo:

http://localhost:8081/files/blah
This returns a 404 page with a 200 status. That's bad!

http://localhost:8081/cgi-bin/koha/circ/blahblah
This returns a 404 page with a 404 status. That's good but a bit confusing!

(NOTE: If you do change 404.pl to return a 404 status instead of a 200 status,
it does cause a regression, so that this page now returns a blank page that
just says "not found".)

If we look at /etc/koha/apache-shared-intranet-plack.conf, only /index.html and
path /cgi-bin/koha are proxied to Starman. So it makes sense that they're the
only ones invoking the middleware. 

But if http://localhost:8081/blahblah is using Apache and not Starman, it
shouldn't be setting the environmental variables that cause 404.pl to return a
200 status instead of a 404 status...

Except that Apache's error documents themselves end up calling Starman! 

ErrorDocument 400 /cgi-bin/koha/errors/400.pl
ErrorDocument 401 /cgi-bin/koha/errors/401.pl
ErrorDocument 403 /cgi-bin/koha/errors/403.pl
ErrorDocument 404 /cgi-bin/koha/errors/404.pl
ErrorDocument 500 /cgi-bin/koha/errors/500.pl

So of course the error pages called by Apache will return a 200 page whereas
the ones using the ErrorDocument middleware return the actual error code. (Let
me know if I'm not being clear enough here.)

--

So that's... challenging.

We need a way of differentiating if these error scripts are being called
directly (e.g. Apache asking Starman for it) or by the ErrorDocument
middleware...

One way of doing that might be to inspect the REQUEST_URI environmental
variable. When coming from ErrorDocument, the REQUEST_URI is "errors/404.pl".
When coming from Apache, it's "/intranet/errors/404.pl". 

It doesn't seem like a super robust method, but it's the best I have at the
moment.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list