Opened 17 years ago
Last modified 17 years ago
#4122 closed defect
XmlRpcPlugin does not work with Trac 0.10.1 due to CSRF fix. — at Version 1
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.10.2 |
| Component: | general | Version: | 0.10.1 |
| Severity: | normal | Keywords: | CSRF form_token xmlrpc |
| Cc: | shunichi.goto@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
The form_token cookie introduced in Trac 0.10.1 prevents XML-RPC access because it cannot get valid cookie and all the POST request is checked before handler is called. So XmlRpcPlugin does not work at all.
For local workaround, I patched to exclude content-type: text/xml but it is not considered for security aspects. What is the right way?
-
main.py
old new 221 221 # Process the request and render the template 222 222 try: 223 223 try: 224 ctype = req.get_header('Content-Type') 225 if ctype: 226 ctype = ctype.split(';')[0].strip().lower() 224 227 # Protect against CSRF attacks. 225 228 if (req.method == 'POST' and 229 ctype != 'text/xml' and 226 230 req.args.get('__FORM_TOKEN') != req.form_token): 227 231 raise TracError('Missing or invalid form token. ' 228 232 'Do you have cookies enabled?')
Change History (1)
comment:1 by , 17 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | CSRF form_token xmlrpc added |
| Milestone: | → 0.10.2 |
| Version: | devel → 0.10.1 |
Note:
See TracTickets
for help on using tickets.
(added 0.10.1 version)