0034634: Non-existing issue number does not throw a 404 in the UI

ID	Project	Category	View Status	Date Submitted	Last Update
0034634	mantisbt	other	public	2024-09-09 11:58	2024-10-24 15:04

Reporter	c_schmitz	Assigned To	dregad
Priority	normal	Severity	tweak	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.26.3
Fixed in Version	2.26.4

Summary	0034634: Non-existing issue number does not throw a 404 in the UI
Description	When trying to open an issue URL with an invalid ID, you get a proper page back with a error message, but a status code 200. It should be 400, otherwise search engine will index the page and if you have alot of deleted issues, punish you for duplicate or low quality content.
Steps To Reproduce	1.) Open URL https://mantisbt.org/bugs/view.php?id=99999999999 2.) See error message 3.) Check http status code of the page in console. It is 200. Expected: 404
Tags	No tags attached.

cas 2024-09-09 12:13 reporter ~0069180	You get a proper application error so in my book no issue.

c_schmitz 2024-09-09 12:35 reporter ~0069181 Last edited: 2024-09-09 12:37	Yes, that's what I wrote with 'You get a proper page back with error message". I also explained why such a page with a 200 HTTP status code is still a problem.

dregad 2024-09-09 19:57 developer ~0069184	Hello Carsten. That's a very good point, and you're absolutely right we should be returning a proper error code in such case. Unfortunately this is not as easy as it sounds, given the way our error handler is written. The error code needs to be specific and meaningful, depending on the error being handled we would want a 400, 403, 404 or 500 errors (and possibly others too), so a table mapping Mantis to HTTP error codes is required. We already have such logic in the SOAP / REST APIs (see faultFromException() function), but it would need to be adapted to core.

c_schmitz 2024-09-12 07:25 reporter ~0069201	@dregad Thank you for your kind response. Yes, I checked the source, too, and figured out the same. Can we maybe apply a stupid fix? It is basically one line of code and would only catch this common error of a non-existing issue and provide a 404 header with the normal error page. If interested I could submit a PR on Github.

dregad 2024-09-13 07:45 developer ~0069212	@c_schmitz contributions are always welcome, please do send the PR I will gladly review it. Even if we merge your quick fix, I believe that a "proper", more general solution is needed anyway, as this problem of an error page returning a success code has previously hit us on several other occasions.

dregad 2024-09-16 08:01 developer ~0069231	I had a closer look at this, and in fact it should actually be fairly simple to implement even the "proper", more general solution, i.e. move logic from mc_api / ApiObjectFactory::faultFromException() to a core API function refactor faultFromException() to use new function call http_response_code() with return value from new function in error_handler()

dregad 2024-09-20 13:13 developer ~0069247	PR https://github.com/mantisbt/mantisbt/pull/2028

c_schmitz 2024-10-07 07:24 reporter ~0069310	I just installed 2.27.0 and the issue is not fixed there. Maybe upstream merge was forgotten?

dregad 2024-10-07 08:13 developer ~0069311	Maybe upstream merge was forgotten? Definitely not. `$ git tag --contains 6cb11276 release-2.26.4 release-2.27.0` And as far as I can tell, it's working on this tracker, as shown in attached screenshot. Can you provide additional details ? image.png (7,032 bytes) image.png (7,032 bytes)

c_schmitz 2024-10-07 08:51 reporter ~0069312	Hmm. check out https://bugs.limesurvey.org/view.php?id=111111111111111

c_schmitz 2024-10-07 09:36 reporter ~0069314 Last edited: 2024-10-07 09:45	After some debugging I see that in function html_end a call to fastcgi_finish_request() is made, which causes the process to be finished. (as we are using FastCGI). So it never gets to send the header - it probably needs to be sent earlier.

dregad 2024-10-07 10:52 developer ~0069315	Thanks for the analysis and feedback. Usage of FastCGI indeed explains the discrepancy between your system and mine. Since the issue is fixed for "regular" CGI in 2.26.4, I will set this back to resolved, and I have opened 0034828 to track the FastCGI issue, I'll look into it as soon as possible.

MantisBT: master-2.26 6cb11276 2024-09-16 13:45 dregad Details Diff	Return HTTP response code when error occurs Until now, our error handler displayed an error page, but actually returned HTTP status code 200 (success), which was causing problems in certain usage scenarios. The REST and SOAP APIs do define a mapping from Mantis error to the corresponding HTTP response code ApiObjectFactory::faultFromException(). This moves the mapping logic to a new Error API function error_map_mantis_error_to_http_code(), and the error handler calls http_response_code() with its return value so a proper HTTP status code is returned to the user agent. faultFromException() method was modified to use the new API function to avoid code duplication. Fixes 0034634	Affected Issues 0034634
	mod - api/soap/mc_api.php	Diff File
	mod - core/error_api.php	Diff File
MantisBT: master-2.27 5ff8bb6a 2024-10-07 12:37 dregad Details Diff	Move fastcgi_finish_request() to email shutdown function This was originally added to html_end() to improve performance when using php-fpm and sending mail synchronously [1], back when the function was calling email_send_all(), i.e. before issue 0017460 moved that to email_shutdown_function(). This is now causing issues as the HTTP response code is not set when an error occurs and FastCGI is used. Fixes 0034828, 0034634 [1]: see commit cea405ccf228fd2c6ac694574a74e87396b14f1f	Affected Issues 0017460, 0034634, 0034828
	mod - core/email_api.php	Diff File
	mod - core/html_api.php	Diff File

View Issue Details

Relationships

Activities

Related Changesets