View Issue Details

IDProjectCategoryView StatusLast Update
0033019mantisbtapi restpublic2024-09-29 21:44
Reporterdregad Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Target Version2.28.0 
Summary0033019: X-Mantis-Version headers sent when REST API is disabled
Description

The REST API tries to authenticate the user and returns the X-Mantis-Version header even when it is disabled and/or the authentication fails.

Steps To Reproduce
  • set $g_webservice_rest_enabled = OFF;
  • execute curl -is http://localhost/mantisbt/api/rest/
HTTP/1.1 401 API token required
Date: Sun, 15 Oct 2023 16:06:54 GMT
Server: Apache/2.4.52 (Debian)
Set-Cookie: PHPSESSID=ukcnd48i76p4vegpqg67n9ov1l; path=/; HttpOnly
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Last-Modified: Tue, 11 Apr 2023 22:55:08 GMT
X-Mantis-Version: 2.25.7
Content-Length: 0
Content-Type: text/html; charset=UTF-8
  • Notice
    • 401 API token required response (expected: 503 API disabled)
    • presence of X-Mantis-Version header (should not be shown)
Additional Information

Originally reported by @PR_CSO in 0033017:0068220

TagsNo tags attached.

Relationships

related to 0034784 new Retire webservice_rest_enabled config option 
related to 0033017 closeddregad Mantis version visible in REST API request headers even when $g_show_version is OFF 

Activities

vboctor

vboctor

2024-09-29 21:44

manager   ~0069294

See 0034784 which should retire the $g_webservice_rest_enabled config option.