As designed Security Error when Accessing .jsp File

[Liam W]

If I point to a .jsp file at the end of any route, then a security error is given instead of a not found error.

Examples: http://xenforo.com/community/object/indexsfasfas.jsp, http://xenforo.com/community/members/XenForo.1/test.jsp

 

[Liam W]

Adding to this, if the first two characters of the extension are js, the security error is given...

 

[Mike]

This is strictly as designed as we require the CSRF token to be provided when making any request to a ".js*" URL (to prevent a possible information leak). Not sure if we should change it to just be .json and .js though.

 

[Liam W]

This is strictly as designed as we require the CSRF token to be provided when making any request to a ".js*" URL (to prevent a possible information leak). Not sure if we should change it to just be .json and .js though.

I just thought that when I discovered it happened on js* files... In my opinion, it should be changed. But I guess it's arguable.

 

[tyteen4a03]

I'm not actually sure how many setups out there that supports both php and jsp, but this should be changed in case there really is.

 

[Adam Howard]

This is strictly as designed as we require the CSRF token to be provided when making any request to a ".js*" URL (to prevent a possible information leak). Not sure if we should change it to just be .json and .js though.

Please keep this 'as is'

 

[Mike]

Going to leave this as is, just in case really. This error only comes up if the request hits XenForo; if the server has a .jsp file and it gets executed, XenForo isn't being executed so the error won't come up. Changing this globally could expose a mistake more easily for really no benefit. If you have need for a URL with various extensions, you can always explicitly disable the CSRF check in your controller in the needed cases.