Modify ↓
Opened 18 years ago
Closed 18 years ago
#4122 closed defect (fixed)
XmlRpcPlugin does not work with Trac 0.10.1 due to CSRF fix.
Reported by: | Owned by: | Jonas Borgström | |
---|---|---|---|
Priority: | normal | Milestone: | 0.10.2 |
Component: | general | Version: | 0.10.1 |
Severity: | normal | Keywords: | CSRF form_token xmlrpc |
Cc: | shunichi.goto@… | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
The form_token cookie introduced in Trac 0.10.1 prevents XML-RPC access because it cannot get valid cookie and all the POST request is checked before handler is called. So XmlRpcPlugin does not work at all.
For local workaround, I patched to exclude content-type: text/xml but it is not considered for security aspects. What is the right way?
-
main.py
old new 221 221 # Process the request and render the template 222 222 try: 223 223 try: 224 ctype = req.get_header('Content-Type') 225 if ctype: 226 ctype = ctype.split(';')[0].strip().lower() 224 227 # Protect against CSRF attacks. 225 228 if (req.method == 'POST' and 229 ctype != 'text/xml' and 226 230 req.args.get('__FORM_TOKEN') != req.form_token): 227 231 raise TracError('Missing or invalid form token. ' 228 232 'Do you have cookies enabled?')
Attachments (0)
Change History (2)
comment:1 by , 18 years ago
Description: | modified (diff) |
---|---|
Keywords: | CSRF form_token xmlrpc added |
Milestone: | → 0.10.2 |
Version: | devel → 0.10.1 |
comment:2 by , 18 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
(added 0.10.1 version)