search

loris-imageserver / loris

Loris IIIF Image Server
Other
208 stars 87 forks source link

Wrong error returned (404 instead of 400) for special characters #526

Open lguariento opened 3 years ago

lguariento commented 3 years ago

Hello,

I have Loris running with Apache and mod_wsgi. This is my configuration:

[edit the configuration is not relevant here. I tested it several times on different machines with different configurations and Loris still outputs 404 instead of 400 for special characters. See additional comments.]

ssl.conf:

AllowEncodedSlashes On
RewriteEngine on
RequestHeader set x-forwarded-for %{REMOTE_ADDR}e
RequestHeader set Host %{X-Forwarded-Host}e
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}e
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}e
WSGIScriptAlias /iiif /var/www/loris2/loris2.wsgi
RewriteCond %{REQUEST_URI} !default\.tif$ [NC]
RewriteRule ^/(.*).tif$ /$1.tif/info.json [R=303,L]
RewriteCond %{REQUEST_URI} !default\.jpg$ [NC]
RewriteRule ^/(.*).jpg$ /$1.jpg/info.json [R=303,L]
RewriteCond %{REQUEST_URI} !default\.jp2$ [NC]
RewriteRule ^/(.*).jp2$ /$1.jp2/info.json [R=303,L]
RewriteCond %{REQUEST_URI} !default\.png$ [NC]
RewriteRule ^/(.*).png$ /$1.png/info.json [R=303,L]

From the modules directory, conf.modules.d/10-wsgi.conf:

LoadModule wsgi_module modules/mod_wsgi.so
ExpiresActive On
ExpiresDefault "access plus 5184000 seconds"
AllowEncodedSlashes On
WSGIDaemonProcess loris2 user=loris group=loris processes=10 threads=15 maximum-requests=10000
WSGIScriptAlias /iiif /var/www/loris2/loris2.wsgi
WSGIProcessGroup loris2

It all works well except for the server returning 404 instead of 400 for random-generated quality or rotation or size or format when these include characters like ] or ^ or ` or ; or [ etc. See for example here.

This is my image API validator.

What could the reason for that be?

Python 3.4 Apache 2.4.6 Loris 2.3.3

lguariento commented 3 years ago

After starting the .webapp.py development server and running the validator against it, I noticed that it's actually Loris which returns error 404 instead of the 400 expected by the validator.

lguariento commented 3 years ago

As Andrew Hankinson suggested in the IIIF Slack channel, "it probably has to do with the calls to self.raise_404_for_ident in the Loris resolver, e.g.

https://github.com/loris-imageserver/loris/blob/6fee1b8d367b287c981c9851a07a672fd5661ce3/loris/resolver.py#L554

and then the fact that the webapp itself sends back a NotFoundResponse whenever it catches a ResolverException: https://github.com/loris-imageserver/loris/blob/development/loris/webapp.py#L515-L516. It should probably be changed to return a BadRequestResponse: https://github.com/loris-imageserver/loris/blob/development/loris/webapp.py#L215-L221".