Edgewall Software

Opened 16 years ago

Closed 16 years ago

#4122 closed defect (fixed)

XmlRpcPlugin does not work with Trac 0.10.1 due to CSRF fix.

Reported by: Shun-ichi Goto <shunichi.goto@…> Owned by: Jonas Borgström
Priority: normal Milestone: 0.10.2
Component: general Version: 0.10.1
Severity: normal Keywords: CSRF form_token xmlrpc
Cc: shunichi.goto@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Christian Boos)

The form_token cookie introduced in Trac 0.10.1 prevents XML-RPC access because it cannot get valid cookie and all the POST request is checked before handler is called. So XmlRpcPlugin does not work at all.

For local workaround, I patched to exclude content-type: text/xml but it is not considered for security aspects. What is the right way?

  • main.py

    old new  
    221221        # Process the request and render the template
    222222        try:
    223223            try:
     224                ctype = req.get_header('Content-Type')
     225                if ctype:
     226                    ctype = ctype.split(';')[0].strip().lower()
    224227                # Protect against CSRF attacks.
    225228                if (req.method == 'POST' and
     229                    ctype != 'text/xml' and
    226230                    req.args.get('__FORM_TOKEN') != req.form_token):
    227231                    raise TracError('Missing or invalid form token. '
    228232                                    'Do you have cookies enabled?')

Attachments (0)

Change History (2)

comment:1 by Christian Boos, 16 years ago

Description: modified (diff)
Keywords: CSRF form_token xmlrpc added
Milestone: 0.10.2
Version: devel0.10.1

(added 0.10.1 version)

comment:2 by Jonas Borgström, 16 years ago

Resolution: fixed
Status: newclosed

Thanks, I've committed a modified version of the patch to trunk and 0.10-stable, see r4243 (trunk) and r4244 (0.10-stable).

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.