Context Navigation

Modify ↓

#4122 closed defect (fixed)

XmlRpcPlugin does not work with Trac 0.10.1 due to CSRF fix.

Reported by:	Shun-ichi Goto <shunichi.goto@…>	Owned by:	Jonas Borgström
Priority:	normal	Milestone:	0.10.2
Component:	general	Version:	0.10.1
Severity:	normal	Keywords:	CSRF form_token xmlrpc
Cc:	shunichi.goto@…	Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Christian Boos)

The form_token cookie introduced in Trac 0.10.1 prevents XML-RPC access because it cannot get valid cookie and all the POST request is checked before handler is called. So XmlRpcPlugin does not work at all.

For local workaround, I patched to exclude content-type: text/xml but it is not considered for security aspects. What is the right way?

main.py

-              old
+              new
         # Process the request and render the template
         try:
             try:
+                ctype = req.get_header('Content-Type')
+                if ctype:
+                    ctype = ctype.split(';')[0].strip().lower()
                 # Protect against CSRF attacks.
                 if (req.method == 'POST' and
+                    ctype != 'text/xml' and
                     req.args.get('__FORM_TOKEN') != req.form_token):
                     raise TracError('Missing or invalid form token. '
                                     'Do you have cookies enabled?')

Attachments (0)

Change History (2)

comment:1 by Christian Boos, 17 years ago

Description:	modified (diff)
Keywords:	CSRF form_token xmlrpc added
Milestone:	→ 0.10.2
Version:	devel → 0.10.1

(added 0.10.1 version)

comment:2 by Jonas Borgström, 17 years ago

Resolution:	→ fixed
Status:	new → closed

Thanks, I've committed a modified version of the patch to trunk and 0.10-stable, see r4243 (trunk) and r4244 (0.10-stable).

Modify Ticket

Change Properties

Summary:
Description:	The form_token cookie introduced in Trac 0.10.1 prevents XML-RPC access because it cannot get valid cookie and all the POST request is checked before handler is called. So [TH:XmlRpcPlugin] does not work at all. For local workaround, I patched to exclude content-type: text/xml but it is not considered for security aspects. What is the right way? {{{ #!diff --- main.py.orig Fri Nov 10 09:18:48 2006 +++ main.py Fri Nov 10 09:19:36 2006 @@ -221,8 +221,12 @@ # Process the request and render the template try: try: + ctype = req.get_header('Content-Type') + if ctype: + ctype = ctype.split(';')[0].strip().lower() # Protect against CSRF attacks. if (req.method == 'POST' and + ctype != 'text/xml' and req.args.get('__FORM_TOKEN') != req.form_token): raise TracError('Missing or invalid form token. ' 'Do you have cookies enabled?') }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Jonas Borgström.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Jonas Borgström to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: