[CONFSERVER-39291] Rest endpoints returning 403 for incorrect content type

Type: Bug
Resolution: Unresolved
Priority: Low
Fix Version/s: None
Affects Version/s: 5.9.1
Component/s: Core - Content REST APIs
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

In Confluence 5.8 we have integration tests that validate that our rest endpoints return a 415 when they are given an invalid content type. In 5.9.1-pluginsfour013 these endpoints are returning a 403 for the same tests.

Shannon Krebs added a comment - 18/Sep/2015 3:31 AM - edited

It seems to be related to the new XSRF checks. Possibly that is returning 403 when it fails and not a more accurate message in some cases. I've only seen it with some rest end points provided by a plugin, haven't been able to reproduce with a confluence endpoint. There is no error in the confluence log.

Example 5.8.10:

curl -D- -u admin:admin -X POST http://localhost:1990/confluence/rest/cw/latest/workflows/ds/workflowParameter
HTTP/1.1 415 Unsupported Media Type
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=08E571811595069B2EC57B68BFEC6FDB; Path=/
X-Seraph-LoginReason: OK
X-AUSERNAME: admin
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8

<html><head><title........

5.9.1-pluginsfour013

curl -D- -u admin:admin -X POST http://localhost:1990/confluence/rest/cw/latest/workflows/ds/workflowParameter
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BA414C125E8008AADA95281DE15E05D3; Path=/confluence/; HttpOnly
X-Seraph-LoginReason: OK
X-AUSERNAME: admin
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=ISO-8859-1

XSRF check failed

Shannon Krebs added a comment - 18/Sep/2015 3:31 AM - edited It seems to be related to the new XSRF checks. Possibly that is returning 403 when it fails and not a more accurate message in some cases. I've only seen it with some rest end points provided by a plugin, haven't been able to reproduce with a confluence endpoint. There is no error in the confluence log. Example 5.8.10: curl -D- -u admin:admin -X POST http: //localhost:1990/confluence/ rest /cw/latest/workflows/ds/workflowParameter HTTP/1.1 415 Unsupported Media Type Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=08E571811595069B2EC57B68BFEC6FDB; Path=/ X-Seraph-LoginReason: OK X-AUSERNAME: admin X-Content-Type-Options: nosniff Content-Type: text/html;charset=utf-8 <html><head><title........ 5.9.1-pluginsfour013 curl -D- -u admin:admin -X POST http: //localhost:1990/confluence/ rest /cw/latest/workflows/ds/workflowParameter HTTP/1.1 403 Forbidden Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=BA414C125E8008AADA95281DE15E05D3; Path=/confluence/; HttpOnly X-Seraph-LoginReason: OK X-AUSERNAME: admin X-Content-Type-Options: nosniff Content-Type: text/html;charset=ISO-8859-1 XSRF check failed

Minh Tran added a comment - 17/Sep/2015 5:15 PM

Dear shannon1,

Thanks for submitting the ticket
Could you please tell me the REST endpoint and the corresponding exception inside Confluence?

Thanks,
Minh Tran
Confluence BugMaster
Atlassian

Minh Tran added a comment - 17/Sep/2015 5:15 PM Dear shannon1 , Thanks for submitting the ticket Could you please tell me the REST endpoint and the corresponding exception inside Confluence? Thanks, Minh Tran Confluence BugMaster Atlassian

Assignee:: Ana Viseu

Reporter:: Shannon Krebs

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 17/Sep/2015 4:46 AM

Updated:: 04/Aug/2021 3:15 PM

Confluence Data Center

Details

Description

Attachments

Forms

Activity

Collapse comment: Shannon Krebs added a comment - 18/Sep/2015 3:31 AM, Edited by Shannon Krebs - 18/Sep/2015 3:33 AM

Expand comment: Shannon Krebs added a comment - 18/Sep/2015 3:31 AM, Edited by Shannon Krebs - 18/Sep/2015 3:33 AM

Collapse comment: Minh Tran added a comment - 17/Sep/2015 5:15 PM

Expand comment: Minh Tran added a comment - 17/Sep/2015 5:15 PM

People

Dates