Edgewall Software

Opened 13 years ago

Closed 13 years ago

#4122 closed defect (fixed)

XmlRpcPlugin does not work with Trac 0.10.1 due to CSRF fix.

Reported by: Shun-ichi Goto <shunichi.goto@…> Owned by: Jonas Borgström
Priority: normal Milestone: 0.10.2
Component: general Version: 0.10.1
Severity: normal Keywords: CSRF form_token xmlrpc
Cc: shunichi.goto@… Branch:
Release Notes:
API Changes:

Description (last modified by Christian Boos)

The form_token cookie introduced in Trac 0.10.1 prevents XML-RPC access because it cannot get valid cookie and all the POST request is checked before handler is called. So XmlRpcPlugin does not work at all.

For local workaround, I patched to exclude content-type: text/xml but it is not considered for security aspects. What is the right way?

  • main.py

    old new  
    221221        # Process the request and render the template
    222222        try:
    223223            try:
     224                ctype = req.get_header('Content-Type')
     225                if ctype:
     226                    ctype = ctype.split(';')[0].strip().lower()
    224227                # Protect against CSRF attacks.
    225228                if (req.method == 'POST' and
     229                    ctype != 'text/xml' and
    226230                    req.args.get('__FORM_TOKEN') != req.form_token):
    227231                    raise TracError('Missing or invalid form token. '
    228232                                    'Do you have cookies enabled?')

Attachments (0)

Change History (2)

comment:1 by Christian Boos, 13 years ago

Description: modified (diff)
Keywords: CSRF form_token xmlrpc added
Milestone: 0.10.2
Version: devel0.10.1

(added 0.10.1 version)

comment:2 by Jonas Borgström, 13 years ago

Resolution: fixed
Status: newclosed

Thanks, I've committed a modified version of the patch to trunk and 0.10-stable, see r4243 (trunk) and r4244 (0.10-stable).

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.