[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #15 from David Cook --- The ErrorDocument middleware does set up environmental variables prefixed with "psgix.errordocument" but CGI::Emulate::PSGI strips those out... https://metacpan.org/dist/CGI-Emulate-PSGI/source/lib/CGI/Emulate/PSGI.pm#L53 So that's annoying. It's too bad we don't have a Plack-enabled controller for handling these so we didn't have to emulate the PSGI for CGI scripts, but that's easier said than done. (I don't have the time/energy for refactoring C4/Templates.pm and C4/Auth.pm to make things like Bug 26791 or Bug 28325 possible ;).) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420
--- Comment #14 from David Cook ---
An easier to maintain option would be to not proxy "/cgi-bin/koha/errors/*"
files to Starman, but... that would probably be short-sighted, since there are
times where we redirect manually to 404.pl as well. For instance:
members/apikeys.pl:print $cgi->redirect("/cgi-bin/koha/errors/404.pl"); #
escape early
So that's not that long-term of a solution...
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #13 from David Cook --- Side note: In /etc/koha/sites/kohadev/plack.psgi I should've put '/errors/404.pl' instead of 'errors/404.pl' but it seems to work anyway. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 David Cook changed: What|Removed |Added Status|Signed Off |Failed QA --- Comment #12 from David Cook --- Thanks, Martin. I really appreciate your comments. Since I authored Bug 26048, it probably does make sense for me to make more of an effort here... I found something interesting with the status quo: http://localhost:8081/files/blah This returns a 404 page with a 200 status. That's bad! http://localhost:8081/cgi-bin/koha/circ/blahblah This returns a 404 page with a 404 status. That's good but a bit confusing! (NOTE: If you do change 404.pl to return a 404 status instead of a 200 status, it does cause a regression, so that this page now returns a blank page that just says "not found".) If we look at /etc/koha/apache-shared-intranet-plack.conf, only /index.html and path /cgi-bin/koha are proxied to Starman. So it makes sense that they're the only ones invoking the middleware. But if http://localhost:8081/blahblah is using Apache and not Starman, it shouldn't be setting the environmental variables that cause 404.pl to return a 200 status instead of a 404 status... Except that Apache's error documents themselves end up calling Starman! ErrorDocument 400 /cgi-bin/koha/errors/400.pl ErrorDocument 401 /cgi-bin/koha/errors/401.pl ErrorDocument 403 /cgi-bin/koha/errors/403.pl ErrorDocument 404 /cgi-bin/koha/errors/404.pl ErrorDocument 500 /cgi-bin/koha/errors/500.pl So of course the error pages called by Apache will return a 200 page whereas the ones using the ErrorDocument middleware return the actual error code. (Let me know if I'm not being clear enough here.) -- So that's... challenging. We need a way of differentiating if these error scripts are being called directly (e.g. Apache asking Starman for it) or by the ErrorDocument middleware... One way of doing that might be to inspect the REQUEST_URI environmental variable. When coming from ErrorDocument, the REQUEST_URI is "errors/404.pl". When coming from Apache, it's "/intranet/errors/404.pl". It doesn't seem like a super robust method, but it's the best I have at the moment. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #11 from Martin Renvoize --- OK.. the documentation for Plack::Middleware::ErrorDocument clearly states: > When using a subrequest, the subrequest should return a regular '200' > response. So, as we're enabling subrequest => 1 I'm sure David has got a point.. Now, I've not dug into it deeply myself yet and I'm no expert in this area.. but that does raise alarm bells in my mind.. We certainly need to be diligent in checking for regressions here. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 Martin Renvoize changed: What|Removed |Added CC||martin.renvoize@ptfs-europe ||.com --- Comment #10 from Martin Renvoize --- Take a step back everyone ;) David was merely suggesting things to check to whoever takes on the QA.. I don't see that as a blocker. I see that as someone trying to lend a hand where they can. We're all battling with various pressures on our time and we do what we can do. It's not at all constructive to call people out on their lack of time unless you can somehow help free up some time for them to contribute more ;). Also, remember that Koha is an aging beast... we're trying hard to make it more modern and the move to Plack is part of that.. David has taken us in the right direction by improving our error pages when they're served under this way of running. None of us are experts in everything.. and our poor QA team are expected to dig in and get to grips with all area's even if their expertise is being stretched.. we're all Human. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #9 from Liz Rea --- (In reply to Tomás Cohen Arazi from comment #5) > Do we really need to pass error pages through CGI/Perl? I wondered this too, but the improvement in the error pages is nice. Just wish it worked for the 401 case. (In reply to Marcel de Rooy from comment #8) > This is an effective way of blocking development :) > It must be wrong, but I do not have time to look further.. Have seen a lot of this lately, upsetting. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 Marcel de Rooy changed: What|Removed |Added CC||m.de.r...@rijksmuseum.nl --- Comment #8 from Marcel de Rooy --- (In reply to David Cook from comment #6) > (In reply to Liz Rea from comment #4) > > It does not stop it from working, it shows the error page under the login > > screen for 401's. > > Hmm weird. I have no idea then without testing and digging in (which I don't > have time for at the moment). If there are any issues, I can find them later. This is an effective way of blocking development :) It must be wrong, but I do not have time to look further.. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #7 from David Cook --- (In reply to Tomás Cohen Arazi from comment #5) > Do we really need to pass error pages through CGI/Perl? You mean instead of using static HTML pages or...? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #6 from David Cook --- (In reply to Liz Rea from comment #4) > It does not stop it from working, it shows the error page under the login > screen for 401's. Hmm weird. I have no idea then without testing and digging in (which I don't have time for at the moment). If there are any issues, I can find them later. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #5 from Tomás Cohen Arazi --- Do we really need to pass error pages through CGI/Perl? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #4 from Liz Rea --- It does not stop it from working, it shows the error page under the login screen for 401's. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 David Cook changed: What|Removed |Added CC||dc...@prosentient.com.au --- Comment #3 from David Cook --- Looking at Bug 26048, it looks like I added 200 OK for a reason, although it's not 100% clear to me why now. I suspect something weird with the HTTPExceptions or ErrorDocument modules. I suspect that this patch will stop Bug 26048 from working for 401. So if you're not using HTTP Basic Auth, you'll probably get the Plack generic error page instead of the Koha 401 error page. But I haven't checked yet. I'd suggest to QA to check whether the Koha error page flows through or if it's the Plack generic error message. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 Nick Clemens changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=29444 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 Tomás Cohen Arazi changed: What|Removed |Added CC||tomasco...@gmail.com Assignee|koha-b...@lists.koha-commun |l...@bywatersolutions.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 Nick Clemens changed: What|Removed |Added Attachment #127328|0 |1 is obsolete|| --- Comment #2 from Nick Clemens --- Created attachment 127364 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=127364=edit Bug 29420 - 401 Unauthorized pages come back is 200 OK under plack To test: - create an alias in your /etc/koha/sites/.conf file for something like files Alias /files "/var/lib/koha/kohadev/public_html/" Options +Indexes AuthUserFile /var/lib/koha/kohadev/.htpasswd AuthName ByPassword AuthType Basic require valid-user - make a .htpasswd file: https://hostingcanada.org/htpasswd-generator/ and put it in /var/lib/koha/kohadev - restart apache - navigate to http:///files, note that the response header in the browser inspector says "200 OK" and the basic auth user/pass is not shown - Apply this patch, restart the things - navigate to http:///files, note that the response header in the browser inspector says "401 Unauthorized" and the basic auth user/pass is now shown Signed-off-by: Nick Clemens -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 Nick Clemens changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 Liz Rea changed: What|Removed |Added Status|NEW |Needs Signoff CC||wizzy...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29420] 401 Unauthorized pages come back as 200 OK under plack
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29420 --- Comment #1 from Liz Rea --- Created attachment 127328 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=127328=edit Bug 29420 - 401 Unauthorized pages come back is 200 OK under plack To test: - create an alias in your /etc/koha/sites/.conf file for something like files Alias /files "/var/lib/koha/kohadev/public_html/" Options +Indexes AuthUserFile /var/lib/koha/kohadev/.htpasswd AuthName ByPassword AuthType Basic require valid-user - make a .htpasswd file: https://hostingcanada.org/htpasswd-generator/ and put it in /var/lib/koha/kohadev - restart apache - navigate to http:///files, note that the response header in the browser inspector says "200 OK" and the basic auth user/pass is not shown - Apply this patch, restart the things - navigate to http:///files, note that the response header in the browser inspector says "401 Unauthorized" and the basic auth user/pass is now shown -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
