This project is archived and is in readonly mode.

#146 ✓resolved
Matthew Mucklo

[Bug] /rails/info/propertonsidering all requests localies page not c

Reported by Matthew Mucklo | May 8th, 2008 @ 06:21 PM

Rails team,

Thank you for your product and your time. If I may I'd like to submit a bug I came across with Rails 2.0.2 over the last day or so working with it.

This bug is presently described (as of this writing on 5/8/2008) at http://justbarebones.blogspot.com/2007_08_12_archive.html

It's still present as of Rails 2.0.2

The environment is a remote rails install, being accessed from another computer.

An example could be setting up Rails on a *nix box (such as an HPUX based machine) and accessing it from a Windows-based machine.

The problem seems to occur when accessing the properties URL linked to from the default front page:

http://:3000/rails/info/properties

The following message is received:

"For security purposes, this information is only available to local requests."

That is correct behaviour for a production machine, however when server is in development mode and the following environment variable is set in development.rb:

config.action_controller.consider_all_requests_local = true

The rails/info/properties page probably should respond and act as if the request is coming from a local machine. As of Rails 2.0.2 it presently does not.

Now if this is by design, even in the development mode, one might want to reconsider, because of the case where someone sets up a development server on a remote machine that there is no graphical console access to. It would be good to enforce consider_all_requests_local across all pages in that case.

The bug seems to be a minor oversight in the file:

builtin/rails_info/rails/info_controller.rb:

Which says (on line 3):

if local_request?

(which only checks for 127.0.0.1 origination)

To enforce consider_all_requests_local, it should say (on line 3):

if consider_all_requests_local || local_request?

that would mirror actionpack-2.0.2/lib/action_controller/rescue.rb, Line 122 (incidentally, it seems to be the same file where the method local_request? is defined).

--Matt

Comments and changes to this ticket

  • josh

    josh July 17th, 2008 @ 01:13 AM

    • State changed from “new” to “resolved”
    • Tag set to bug, controller

    Appears to be fixed!

    class Rails::InfoController < ActionController::Base
      def properties
        if consider_all_requests_local || local_request?
          render :inline => Rails::Info.to_html
        else
          render :text => '<p>For security purposes, this information is only available to local requests.</p>', :status => 500
        end
      end
    end
    

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Pages