[#39332] - I get error messages relating to the API
- Closed
- 2 Dec 2022
- Medium
- Build: 4.2.5
- # 39332
Steps to reproduce the issue
I'm not sure how the error is created but I'm worried it could be an attempt at security.
I get this error message sent through from Admin Tools because of a PHP Fatal error. I am not the one creating this error so I can't really give information as to when it occurs, I just get an email telling me there was a fatal error.
`
A PHP Exception occurred on your site. Here you can find the stack trace:
Exception Type: Joomla\CMS\Application\Exception\NotAcceptable
File: /home/*****co/public_html/libraries/src/Application/ApiApplication.php
Line: 273
Message: Could not match accept header
#0 /home/*****co/public_html/libraries/src/Application/ApiApplication.php(104): Joomla\CMS\Application\ApiApplication->route()
#1 /home/*****co/public_html/libraries/src/Application/CMSApplication.php(278): Joomla\CMS\Application\ApiApplication->doExecute()
#2 /home/*****co/public_html/api/includes/app.php(54): Joomla\CMS\Application\CMSApplication->execute()
#3 /home/*****co/public_html/api/index.php(31): require_once('/home/*****c...')
#4 {main}
Request information
GET variables
Array
(
)
POST variables
Array
(
)
COOKIE variables
Array
(
)
REQUEST variables
Array
(
)
SERVER variables
Array
(
[PATH] => /usr/local/bin:/bin:/usr/bin
[HTTP_CONNECTION] => Keep-Alive
[HTTP_HOST] => *****.co.uk
[HTTP_X_HTTPS] => 1
[DOCUMENT_ROOT] => /home/*****co/public_html
[REMOTE_ADDR] => 13.90.211.8
[REMOTE_PORT] => 5568
[SERVER_ADDR] => 5.134.13.32
[SERVER_NAME] => .co.uk
[SERVER_ADMIN] => webmaster@.co.uk
[SERVER_PORT] => 443
[REQUEST_SCHEME] => https
[REQUEST_URI] => /api/Probe
[REDIRECT_URL] => /api/Probe
[REDIRECT_REQUEST_METHOD] => GET
[HTTPS] => on
[HTTP_AUTHORIZATION] =>
[REDIRECT_STATUS] => 200
[SSL_PROTOCOL] => TLSv1.2
[SSL_CIPHER] => ECDHE-RSA-AES256-SHA
[SSL_CIPHER_USEKEYSIZE] => 256
[SSL_CIPHER_ALGKEYSIZE] => 256
[SCRIPT_FILENAME] => /home/co/public_html/api/index.php
[QUERY_STRING] =>
[SCRIPT_URI] => https://.co.uk/api/Probe
[SCRIPT_URL] => /api/Probe
[SCRIPT_NAME] => /api/index.php
[SERVER_PROTOCOL] => HTTP/1.1
[SERVER_SOFTWARE] => LiteSpeed
[REQUEST_METHOD] => GET
[X-LSCACHE] => on,crawler
[PHP_SELF] => /api/index.php
[REQUEST_TIME_FLOAT] => 1669763984.4175
[REQUEST_TIME] => 1669763984
)
`
Expected result
No PHP errors
Actual result
A PHP error
System information (as much as possible)
systeminfo-2022-11-30T10_54_30+00_00.txt
Additional comments
| Labels |
Removed:
?
|
||
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
I guess the problem is that I am not putting in any requests, I didn't even realise that the API was turned on by default (I thought off was the default setting).
Whether it's a security breach or not, should it cause a PHP error or a different response?
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-12-02 09:59:37 |
| Closed_By | ⇒ | wilsonge |
The API at this level is always on. It’s just only super users will have permissions to utilise it. The error being given here is correct and expected.
The API used exceptions as it’s primary resolution mechanism. If anything this is an admin tools bug (but nic may well argue it’s working as expected and that’s down to him :) ) because it should probably hook after our exception handler for the api https://github.com/joomla/joomla-cms/blob/4.2-dev/libraries/src/Error/Renderer/JsonapiRenderer.php to take into account “known” api exceptions.
either way this is working as expected from a core perspective
Completly disagree with Wilsonge.
this "expected" behaviour is filling up error logs for nothing.
There must be a way to put the api off "at this level" or to manage the error for it to not be sent upstairs...
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39332.
Only solution for now... redirect in htaccess...
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39332.
@pgavanuatu but hesaid it was an Admin Tools thing not a core thing. Therefore they can't fix it.
But I think it's a mistake to have API turned on by default. It's a other hole for no reason.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39332.
Again I disagree... admintools send an email because there is an error... the fact that the error.log is filled up is a core concern.
The API is rasing an error where it must not reply at all as there is no parameters or credentials at all in the url...
They must do different stuf in function of the type of error instead of raising an error
Exception Type: Joomla\CMS\Application\Exception\NotAcceptable
File: /home/xxxx/public_html/libraries/src/Application/ApiApplication.php
For those who have the pb :
in htaccess
RewriteEngine On
RewriteRule ^api/(.*)$ /$1 [R=301,L]
correct rule is
RedirectMatch 301 ^/api/.*$ /
NotAcceptablesuggests that you aren't setting a validAcceptheader in your Api request to tell Joomla what content type is required.This isn't necessarily a security breach - it just means someone somewhere is trying to use the Joomla 4 API and getting the syntax wrong. Validating the type of request occurs before authentication (because we need to know what format to send the authentication error in). So it's likely nothing to be concerned about.