View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0025362 | mantisbt | api rest | public | 2019-01-21 03:09 | 2024-03-14 12:41 |
Reporter | pgiraud | Assigned To | community | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | PC | OS | Debian | OS Version | 9 |
Target Version | 2.22.0 | Fixed in Version | 2.22.0 | ||
Summary | 0025362: REST API support for multiple authorization headers | ||||
Description | In my company we use Mantis along with other applications. Our testing infrastructure is behind a ngning proxy with Basic Authentication. I recently tried to use the Rest API in Mantis. While it works well on our production server, I get rejected with an unauthorized error on the testing instance. After some digging in the code, it looks like the fact that Mantis relies on the "Authorization" header key is a problem. It conflicts with basic authentification which relies on this key as well. The same header key can't be used twice. As a temporary workaround, I patched I would suggest the following changes in the code :
If it sounds good I can provide a PR. | ||||
Steps To Reproduce | If you run apache, I think this can easily be reproduced using apache and an .htaccess file. | ||||
Tags | No tags attached. | ||||
Hi, |
|
I'm leaning towards handling multiple authorization headers with same name if that works for @pgiraud PRs are welcome. |
|
Multiple authorization headers are not allowed by the RFC 7235 standard
So this implementation (see PR https://github.com/mantisbt/mantisbt/pull/1528) is in fact not valid. |
|