Comments (8)
berrnd
commented on August 23, 2024
So this seems to be a specific problem of the Docker container (grocy.env is nothing grocy uses itself).
I can't reproduce this (for MODE = production - anything else should not be used for this setting, if you want to disable authentication, use DISABLE_AUTH).
Just as a reference, the redirect is done here - so always, when the session could not be validated, regardless which page was requested.
Feel free to use my private grocy instance to test this, I've found no path which doesn't redirect to /login so far...
https://grocy.berrnd.org/choresoverview
https://grocy.berrnd.org/products
...
(Note that there are some feature flags disabled on this instance, therefore e. g. https://grocy.berrnd.org/tasks results in an 404 error instead of redirecting).
(I'm moving this issue to grocy/grocy-docker.)
from grocy-docker.
jayaddison
commented on August 23, 2024
@tet3 Do you mind updating this issue description to link to grocy.env as-it-was when you opened the issue, just for anyone gathering context in future?
That should be https://github.com/grocy/grocy-docker/blob/d5163459e9211010167834254847eb62a8241fe2/grocy.env as best I can tell
(NB: it looks like I could technically edit your description myself but I figure it's probably best to edit our own comments & descriptions unless really necessary)
from grocy-docker.
jayaddison
commented on August 23, 2024
Currently investigating the root cause here.
from grocy-docker.
tet3
commented on August 23, 2024
Edited. While not understanding the root cause is always frustrating, since there seem to be other advantages to the work done on #67 and that fixes it, I'd just go with that, myself. :-)
I got that branch up and running on my VPS last night, though I have to sort out why the SSL isn't working.
from grocy-docker.
jayaddison
commented on August 23, 2024
@berrnd I've nearly tracked down the cause here - certainly there's enough information that I can pinpoint a potential security issue in, and have a proposed fix.
The issue comes down to what content should be considered permissible for non-authenticated users to view. In general for a production system it's likely sensible to deny read access (i.e. redirect to login before rendering any content) for non-authenticated users, since that seems to be the intent of the middleware code.
Although I've pinpointed a fix in the application code, I'm still digging further to determine why this particular pull request alters the behaviour.
from grocy-docker.
berrnd
commented on August 23, 2024
Thanks, I see - the rendered originally requested page is rendered in addition to the 302 redirect (browsers, including the developer tools, seem to not show the response body of a 302 response).
Should be easy to fix, I think we should do this immediately (today).
from grocy-docker.
berrnd
commented on August 23, 2024
We do this also already for the API, here:
(Sorry for the off-topic comments here...)
from grocy-docker.
berrnd
commented on August 23, 2024
I've created grocy/grocy#696 to track and fix the security issue - thanks a lot for finding that!
from grocy-docker.
Related Issues (20)
- Consider deprecating use of docker HOT 3
- grocy/grocy-docker or linuxserver/grocy HOT 7
- Rollback to PHP 8.0 HOT 3
- Update base images to use Alpine 3.17.2 HOT 2
- Plan from migrating away from dockerhub? HOT 3
- frontend container: intermittent build error: unable to remove temporary directory contents HOT 1
- GitHub Actions: update buildah-build action in publish workflow to a more recent version
- 404 on node_modules following upgrade to 4.0.0 HOT 44
- Update guide incomplete. HOT 1
- No assets in the web UI after 3.3.2->4.0.2 upgrade (docker-compose + nginx) HOT 10
- Frontend issues with grocy >= 4.0.1 HOT 4
- Feature Request: Populate data directory if using docker bind mounts HOT 6
- Feature request: Proxy authentication by http header value HOT 2
- Allow changing the name of the backend container. HOT 2
- Docker image not found (with bages linked) HOT 1
- Use of docker volume for data makes it hard to customize HOT 2
- Request: Allow setting the front-end nginx configuration for subdirectory HOT 1
- Can't add item on first login HOT 1
- Popup menus collapse to zero height on firefox until browser window is resized HOT 3
- Unable to set custom domain for grocy in Android app HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grocy-docker.