Tails

TL;DR: bug-tracker server blocks http GET requests containing Referer: https://redmine.tails.boum.org/code/projects/tails/repository/revisions/

That took me some good time to figure out:

Every time I looked through an issue, clicked on an associated revision to see the fix, and from there wanted to open a diff the message

403 Forbidden

You don't have permission to access this resource.

was displayed instead. (No matter if logged-in or out! Reload didn’t change anything as well.)

But I knew I can access it (I have seen the diff somewhere before), so I assumed the link must be broken (which in fact wasn’t, see below).

So I tried manually changing it to a different accessing url of the same resource and - magically - it worked! But it was a drag to do that every time and I knew I had seen at least on issue where diff displayed without error…

[long search for that post again]
[what, same url of what I thought was broken?!?]
[open “Web developer tools > Network” of browser]
[all HTTP GET parameters sam… oh, referer is different!]
[fiddling around with same request but different referers…]

Server discards HTTP GET requests containing a referer (exactly!) starting with the string “https://redmine.tails.boum.org/code/projects/tails/repository/revisions/” (without quotes)

Examples

starting from issue:

https://redmine.tails.boum.org/code/issues/17513
--> in section "Associated revisions" click on "Revision 04330e73"
https://redmine.tails.boum.org/code/projects/tails/repository/revisions/04330e7378edf443c379e65c32b0d9572428cb76
--> there click on any of "View differences" or "(diff)" links
https://redmine.tails.boum.org/code/projects/tails/repository/revisions/04330e7378edf443c379e65c32b0d9572428cb76/diff
--> "403"

--> manually change to
https://redmine.tails.boum.org/code/projects/tails/repository/diff?utf8=✓&rev=04330e7378edf443c379e65c32b0d9572428cb76
--> works!

starting from that issue again:

https://redmine.tails.boum.org/code/issues/17513
--> in section "Associated revisions" click this time "(diff)"
https://redmine.tails.boum.org/code/projects/tails/repository/revisions/04330e7378edf443c379e65c32b0d9572428cb76/diff
--> works! (w00t?!? same url! But different @referer@.)

also after “403”:

--> "changing" (simply going to adress bar and then press "<enter>") or copy-pasting link in new tab:
https://redmine.tails.boum.org/code/projects/tails/repository/revisions/04330e7378edf443c379e65c32b0d9572428cb76/diff
--> works! (as @referer@ is removed then)

Conclusion

I guess somewhere in the bug-tracker server configuration must be a function which checks the referer parameter if it begins exactly with following string and returns “403” if matched…

https://redmine.tails.boum.org/code/projects/tails/repository/revisions/

Any changes to the string will result in not triggering “403”. (Trailing character are ignored.)

(Maybe someone wanted to implement the inverse logic: if NOT matching() { return 403; }, that would make a least a bit more sense to me - but still feel wrong…)