[jira] [Updated] (SYNCOPE-1428) APIs to read by key return 404 instead of 401 for not authenticated calls

Fri, 25 Jan 2019 06:44:21 -0800 


     [ 
https://issues.apache.org/jira/browse/SYNCOPE-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrea Patricelli updated SYNCOPE-1428:
---------------------------------------
    Description: 
Calling the read API on Users, Groups or AnyObjects like the following example 
returns 404 in case of object not found even with not authenticated calls.

Request:

 
{code:java}
curl -X GET 
"http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey"; -H 
"accept: */*" -H "X-Syncope-Domain: Master"{code}
Response:
{code:java}
{"status":404,"type":"NotFound","elements":["NotFoundException: User, Group or 
Any Object for notexistingkey"]}{code}
 

  was:
Calling the read API on Users, Groups or AnyObjects like the following example 
returns 404 in case of object not found even with not authenticated calls. This 
could be exploited to "guess" usernames or (in general) keys of objects.

Request:

 
{code:java}
curl -X GET 
"http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey"; -H 
"accept: */*" -H "X-Syncope-Domain: Master"{code}
Response:
{code:java}
{"status":404,"type":"NotFound","elements":["NotFoundException: User, Group or 
Any Object for notexistingkey"]}{code}
 


> APIs to read by key return 404 instead of 401 for not authenticated calls
> -------------------------------------------------------------------------
>
>                 Key: SYNCOPE-1428
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1428
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.12, 2.1.3
>            Reporter: Andrea Patricelli
>            Assignee: Andrea Patricelli
>            Priority: Major
>             Fix For: 2.0.13, 2.1.4, 3.0.0
>
>
> Calling the read API on Users, Groups or AnyObjects like the following 
> example returns 404 in case of object not found even with not authenticated 
> calls.
> Request:
>  
> {code:java}
> curl -X GET 
> "http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey"; 
> -H "accept: */*" -H "X-Syncope-Domain: Master"{code}
> Response:
> {code:java}
> {"status":404,"type":"NotFound","elements":["NotFoundException: User, Group 
> or Any Object for notexistingkey"]}{code}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to