Opened 18 years ago
Closed 17 years ago
#4993 closed enhancement (worksforme)
CSRF protection form_token breaks submit after process_request exception
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | low | Milestone: | |
| Component: | general | Version: | 0.10.3 |
| Severity: | minor | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
At our site we have a form with method=POST in the header template. However, this form does not work if it is included in a document that caused an exception. This is because Trac does not add the _FORM_TOKEN hidden field to pages served after an exception occurred in the handler.
Normaly the dispatcher calls req.display() which in turn calls hdf.render(template,form_token) However, if an exception occurs, req.send_error() is called which calls hdf.render(template) without the form token variable.
At our site we fixed this issue by adding the form_token to the hdf.render call in the send_error method of the req object in api.py. The display method just above the send_error method has an example of hdf.render with the form_token.
Attachments (0)
Change History (1)
comment:1 by , 17 years ago
| Milestone: | not applicable |
|---|---|
| Resolution: | → worksforme |
| Status: | new → closed |
In 0.11, this is no longer a problem. The form token will always be available as
${req.form_token}.I can't see this will be fixed for 0.10.x, so I'm closing it with a recommendation to upgrade.