500 error on attempt to download missing file submissions via "N unread"

[zenmonkeykstop]

Description

Instead of displaying a flash message when an attempt is made to download submissions with missing files as per #5573, a 500 error page is thrown.

Steps to Reproduce

• Submit multiple files via the SI
• delete one from the store on the app server
• attempt to download via "N unread" link on JI.

Expected Behavior

flash message as per #5573

Actual Behavior

500 error - log snippet as follows:

[Tue Jan 19 15:22:53.383599 2021] [wsgi:error] [pid 9079:tid 129094200379136] [remote 127.0.0.1:52938] ERROR:flask.app:File /var/lib/securedrop/store/D7NFN2FZRXJVQIU7FBLUCLPGMGM6YUEQ7WLNY6Y2U5IVFOGTQEFO6NGONBE6YKOBE54O6O4QR52VK7BPXBG26HXZXJPT33CCVBEJDSY=/1-homemade_flanker-msg.gpg not found
[Tue Jan 19 15:22:54.033482 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938] ERROR:flask.app:Exception on /download_unread/None [GET]
[Tue Jan 19 15:22:54.033503 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938] Traceback (most recent call last):
[Tue Jan 19 15:22:54.033507 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]   File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/flask/app.py", line 2292, in wsgi_app
[Tue Jan 19 15:22:54.033510 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]     response = self.full_dispatch_request()
[Tue Jan 19 15:22:54.033512 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]   File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/flask/app.py", line 1815, in full_dispatch_request
[Tue Jan 19 15:22:54.033515 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]     rv = self.handle_user_exception(e)
[Tue Jan 19 15:22:54.033518 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]   File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/flask/app.py", line 1718, in handle_user_exception
[Tue Jan 19 15:22:54.033520 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]     reraise(exc_type, exc_value, tb)
[Tue Jan 19 15:22:54.033523 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]   File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/flask/_compat.py", line 35, in reraise
[Tue Jan 19 15:22:54.033526 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]     raise value
[Tue Jan 19 15:22:54.033537 2021] [wsgi:error] [pid 9080:tid 129094009444096] [remote 127.0.0.1:52938]   File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/flask/app.py", line 1813, in full_dispatch_request

Please provide screenshots where appropriate.

Comments

Suggestions to fix, any other relevant information.

[rmol]

Confirmed. Following STR with Tor Browser and the JI via the Onion service results in a broken redirect being issued, because Tor Browser has network.http.referer.hideOnionSource set to true, and the exception handling in #5573 gets no referrer, hence the request for /download_unread/None.

I'm looking into alternatives for the redirect.

[rmol]

I was wrong about the cause. Even with network.http.referer.hideOnionSource set true, the Referer header is being sent if I disable Header set Referrer-Policy "no-referrer" in the journalist interface Apache config.