Edgewall Software
Modify

Opened 14 years ago

Closed 14 years ago

#8981 closed defect (fixed)

Add more descriptive error message in case of enabled "secure_cookies"

Reported by: anatoly techtonik <techtonik@…> Owned by: Remy Blank
Priority: normal Milestone: 0.12
Component: admin/web Version: 0.11-stable
Severity: major Keywords: patch
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Christian Boos)

If you have enabled "secure_cookies" then every HTTP request will regenerate them, but won't receive back. This results in "Missing or invalid form token. Do you have cookies enabled?" error on every form submit.

Trac could detect this situation and provide more descriptive message as this issue is hard to debug, especially in combination with other bugs.

How to repeat

Create an empty virtual environment: 

# windows virtualenv setup
Scripts\trac-admin cookie_form_token initenv
Scripts\trac-admin cookie_form_token permission add anonymous TRAC_ADMIN

Edit cookie_form_token/conf/trac.ini and set secure_cookies = true 

# start server
Scripts\tracd -p 8000 -r -s cookie_form_token

Open page http://localhost:8000/admin/ticket/milestones and try to add new milestone.

Attachments (0)

Change History (6)

comment:1 by anatoly techtonik <techtonik@…>, 14 years ago

See also 5637#comment:26

comment:2 by Remy Blank, 14 years ago

Milestone: 0.11.70.12
Owner: set to Remy Blank

That makes sense, yes. Also, the documentation for secure_cookies could be improved to mention that case.

comment:3 by anatoly techtonik <techtonik@…>, 14 years ago

Keywords: patch added

Trivial patch. An ideal version should not generate secure_cookies through http requests at all.

  • trac/web/main.py

     
    199199                    if ctype in ('application/x-www-form-urlencoded',
    200200                                 'multipart/form-data') and \
    201201                            req.args.get('__FORM_TOKEN') != req.form_token:
    202                         raise HTTPBadRequest('Missing or invalid form token. '
    203                                              'Do you have cookies enabled?')
     202                        if self.env.secure_cookies and req.scheme == 'http':
     203                            raise HTTPBadRequest(
     204                               "''secure_cookies'' option is active. "
     205                               'You need to use https URL to access the form.')
     206                        else:
     207                            raise HTTPBadRequest(
     208                               'Missing or invalid form token. '
     209                               'Do you have cookies enabled?')
    204210
    205211                # Process the request and render the template
    206212                resp = chosen_handler.process_request(req)

comment:4 by Christian Boos, 14 years ago

Description: modified (diff)

comment:5 by anatoly techtonik <techtonik@…>, 14 years ago

Seems like its impossible to prevent Cookies from being set if 'secure_cookies' Trac is accessed by http protocol. Cookies are sent in Request::_send_cookie_headers() at source:branches/0.11-stable/trac/web/api.py@8375:538#L533 and this method doesn't have access to env.config to check the value of secure_cookies

comment:6 by Remy Blank, 14 years ago

Resolution: fixed
Status: newclosed

Committed a variant of comment:3 in [9228] (and added translation markers for that error message).

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Remy Blank.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Remy Blank to the specified user.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.