I believe I found a bug in upgrading from 0.8 to 0.9rc2 in that sources can only submit documents or documents and messages. If I try to send _only_ text or a blank form field I get a "Bad Request, the browser or proxy sent a request that this server could not understand" error.
First I installed 0.8.0 on hardware and create a journalist. I then ran ./qa-loader.py -m 25. I logged in and and see submissions. I then added the apt-test key and updated sources.list to apt.freedom.press to apt-test.freedom.press. Finally I ran sudo cron-apt -i -s to update to 0.9rc2
A source can send text to journalists.
Error in the webapp.
I also enabled apache debug logging and attempted to patch the source_app/ code to log anything related to CSRF violations and I was was not able to trigger a debug log.
Thanks for this report, I was unable to reproduce this on rc2, I will debug with the instance having this issue tomorrow with you if that works @b-meson
I can confirm the error. I see the same error message.
"Bad Request, the browser or proxy sent a request that this server could not understand"
Found the cause will update the ticket + a PR after some coffee.
Based on my testing, this bug does not occur in Dev, nor in Staging environments. It only happens in production (either VMs or hardware). I rebuilt the debs on another computer to rule out the possibility of a bad build, and observed the same error described by @b-meson .
Why does this issue not occur in dev or staging?
request.files and request.form at this point (https://github.com/freedomofpress/securedrop/blob/develop/securedrop/source_app/main.py#L126) in the code returns different behaviors for prod and staging when submitting text:
# staging request.files
ImmutableMultiDict([('fh', <FileStorage>: u' ' ('application/octet-stream')>)])
# staging request.form
ImmutableMultiDict([('msg', u'hello'), ('csrf_token', u'<snip>')])
# prod request.files
ImmutableMultiDict([])
# prod request.form
ImmutableMultiDict([('fh', u''), ('msg', u'hello'), ('csrf_token', u'<snip>')])
Reopening until root cause of variance between staging and prod is addressed
Confirmed that staging VMs do not show this issue: I'm able to submit both text and files without issue against staging VMs, configured from release/0.9 (specifically, on 4b86039dee7fe6f4baa4b790ccb6d95470079625).
Most helpful comment
Found the cause will update the ticket + a PR after some coffee.