XmlRpcPlugin does not work with Trac 0.10.1 due to CSRF fix.

[Shun-ichi Goto <shunichi.goto@…>]

The form_token cookie introduced in Trac 0.10.1 prevents XML-RPC access because it cannot get valid cookie and all the POST request is checked before handler is called. So TracHacks:XmlRpcPlugin does not work at all.

For local workaround, I patched to exclude content-type: text/xml but it is not considered for security aspects. What is the right way?

main.py

@@ -221 +221 @@
         # Process the request and render the template
         try:
             try:
+                ctype = req.get_header('Content-Type')
+                if ctype:
+                    ctype = ctype.split(';')[0].strip().lower()
                 # Protect against CSRF attacks.
                 if (req.method == 'POST' and
+                    ctype != 'text/xml' and
                     req.args.get('__FORM_TOKEN') != req.form_token):
                     raise TracError('Missing or invalid form token. '
                                     'Do you have cookies enabled?')

[cboos]

(added 0.10.1 version)

[jonas]

Thanks, I've committed a modified version of the patch to trunk and 0.10-stable, see r4243 (trunk) and r4244 (0.10-stable).