Securedrop: 0.9.0-rc2 does not allow text only submissions

Created on 31 Aug 2018  路  8Comments  路  Source: freedomofpress/securedrop

Description

I believe I found a bug in upgrading from 0.8 to 0.9rc2 in that sources can only submit documents or documents and messages. If I try to send _only_ text or a blank form field I get a "Bad Request, the browser or proxy sent a request that this server could not understand" error.

Steps to Reproduce

First I installed 0.8.0 on hardware and create a journalist. I then ran ./qa-loader.py -m 25. I logged in and and see submissions. I then added the apt-test key and updated sources.list to apt.freedom.press to apt-test.freedom.press. Finally I ran sudo cron-apt -i -s to update to 0.9rc2

Expected Behavior

A source can send text to journalists.

Actual Behavior

Error in the webapp.

Comments

I also enabled apache debug logging and attempted to patch the source_app/ code to log anything related to CSRF violations and I was was not able to trigger a debug log.

Release bug

Most helpful comment

Found the cause will update the ticket + a PR after some coffee.

All 8 comments

Thanks for this report, I was unable to reproduce this on rc2, I will debug with the instance having this issue tomorrow with you if that works @b-meson

I can confirm the error. I see the same error message.

"Bad Request, the browser or proxy sent a request that this server could not understand"

Found the cause will update the ticket + a PR after some coffee.

Based on my testing, this bug does not occur in Dev, nor in Staging environments. It only happens in production (either VMs or hardware). I rebuilt the debs on another computer to rule out the possibility of a bad build, and observed the same error described by @b-meson .

Why does this issue not occur in dev or staging?

request.files and request.form at this point (https://github.com/freedomofpress/securedrop/blob/develop/securedrop/source_app/main.py#L126) in the code returns different behaviors for prod and staging when submitting text:

# staging request.files
ImmutableMultiDict([('fh', <FileStorage>: u' ' ('application/octet-stream')>)])
# staging request.form
ImmutableMultiDict([('msg', u'hello'), ('csrf_token', u'<snip>')])
# prod request.files
ImmutableMultiDict([])
# prod request.form
ImmutableMultiDict([('fh', u''), ('msg', u'hello'), ('csrf_token', u'<snip>')])

Reopening until root cause of variance between staging and prod is addressed

Confirmed that staging VMs do not show this issue: I'm able to submit both text and files without issue against staging VMs, configured from release/0.9 (specifically, on 4b86039dee7fe6f4baa4b790ccb6d95470079625).

Was this page helpful?
0 / 5 - 0 ratings