Webapp doesn't properly respond with 404 errors
Hi!
It seems that if you visit any page on the webapp that doesn't exist, you get served the main page. This is clever, but shouldn't happen. Instead you should be getting a 404 status code from the webserver, and if desired a nice 404 page that tells you what you did wrong.
Instead, what you get is a 200 level code and it succeeds.
That means that visiting a something like https://black.riseup.net/.git actually works, when it shouldn't.
In the routes.rb file for the webapp, it even is configured to send things to the error controller:
# # HTTP Error Handling # instead of the default error pages use the errors controller and views # match '/404' => 'errors#not_found' match '/500' => 'errors#server_error'
and the errors controller seems to be trying to do the right thing by sending a 404:
# We render http errors ourselves so we can customize them class ErrorsController < ApplicationController # 404 def not_found render status: 404 end
but you still do not get a 404 status code.
It is technically a violation of the HTTP RFC to do this, in particular a 200 status code is only supposed to be sent in response to a GET when "an entity corresponding to the requested resource is sent in the response;" - it is pretty clear that what is returned by https://black.riseup.net/.azulssecretstashofbitcoins does not correspond to the requested resource.
A 404 is supposed to be sent when the server has not found anything matching the Request-URI.
If we wanted to redirect to the home page, which is what it appears that the application is doing when you visit an incorrect URL, then we should be sending a 302 redirect, so it can be properly handled.
Because we do not send proper status codes, this breaks various things that would normally work, such as caching, or looking for things that should not exist on the system (we have an alert system that looks for commonly screwed up things that become exposed, and this doesn't work at all on the leap webapp because everything is 200)
(from redmine: created on 2016-09-14)