search

connexin / connexin-RADIUS3-REST-Tests

Automated testing suite for the RADIUS3 REST API using SOAPUI.
0 stars 0 forks source link

When the accepts header is missing HTML is returned #4

Open MartinSpamer opened 5 years ago

MartinSpamer commented 5 years ago

Outline If the accept: application/json heading is missing then a HTML page is returned.

Expected Behaviour This does not seem right to me, I would expect that where possible the the response should fail safe. Currently json is the only response type supported so could be returned by default. Otherwise if a tight interface is required then a 406 : Request Not Acceptable or HTTP 400 Bad Request should be returned.

Actual Behaviour Given the following request

GET http://radius-dev-v3.uk.cxn-network.net/api/accounting_entries HTTP/1.1
Accept-Encoding: gzip,deflate
Authorization: Basic bWFydGluOmNvbm5leGluMTIzNDU2
Host: radius-dev-v3.uk.cxn-network.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Results in the following, which also leaks potentially risky information about the system.

Bad Request

Error: The requested address '/api/accounting_entries' was not found on this server.

Stack Trace

APP/Vendor/cakephp/cakephp/lib/Cake/Event/CakeEventManager.php line 243 → AppController->beforeFilter(CakeEvent)
APP/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php line 677 → CakeEventManager->dispatch(CakeEvent)
APP/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php line 189 → Controller->startupProcess()
APP/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php line 167 → Dispatcher->_invoke(AccountingEntriesController, CakeRequest)
APP/webroot/index.php line 117 → Dispatcher->dispatch(CakeRequest, CakeResponse)
MartinSpamer commented 5 years ago

While my example uses the accounting_entries this behaviour is exhibited on all resources.