Modify ↓
Ticket #4122 (closed defect: fixed)
Opened 5 years ago
Last modified 5 years ago
XmlRpcPlugin does not work with Trac 0.10.1 due to CSRF fix.
| Reported by: | Shun-ichi Goto <shunichi.goto@…> | Owned by: | jonas |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.10.2 |
| Component: | general | Version: | 0.10.1 |
| Severity: | normal | Keywords: | CSRF form_token xmlrpc |
| Cc: | shunichi.goto@… | ||
| Release Notes: | |||
| API Changes: | |||
Description (last modified by cboos) (diff)
The form_token cookie introduced in Trac 0.10.1 prevents
XML-RPC access because it cannot get valid cookie and
all the POST request is checked before handler is called.
So XmlRpcPlugin does not work at all.
For local workaround, I patched to exclude content-type: text/xml
but it is not considered for security aspects.
What is the right way?
-
main.py
old new 221 221 # Process the request and render the template 222 222 try: 223 223 try: 224 ctype = req.get_header('Content-Type') 225 if ctype: 226 ctype = ctype.split(';')[0].strip().lower() 224 227 # Protect against CSRF attacks. 225 228 if (req.method == 'POST' and 229 ctype != 'text/xml' and 226 230 req.args.get('__FORM_TOKEN') != req.form_token): 227 231 raise TracError('Missing or invalid form token. ' 228 232 'Do you have cookies enabled?')
Attachments
Change History
comment:1 Changed 5 years ago by cboos
- Description modified (diff)
- Keywords CSRF form_token xmlrpc added
- Milestone set to 0.10.2
- Version changed from devel to 0.10.1
comment:2 Changed 5 years ago by jonas
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
(added 0.10.1 version)