Christopher Lenz wrote: > Am 10.11.2006 um 14:06 schrieb osimons: >> However, just found a new issue with the XML-RPC plugin not working >> anymore - it now gives off a 500 Internal Server Error for all >> requests. >> I tested it on 0.10 ten seconds before upgrade, and same lines after >> upgrade gives error. >> >> My initial thought is with the new security fix that traps POST forms >> going out, and all POST request coming in requiring a token. I quickly >> scanned xmlrpclib.py, and see that they also use POST to send >> requests. >> >> I also had another issue with our custom 'AJAX' navigation that posts >> through an XmlHttpRequest to populate a list of projects where a user >> has access. That I managed to get around by changing to GET as I >> wasn't >> actually posting any paramters. I am stuck for how to implement new >> such >> features that require POST without access to a token from the client >> side, or even from template HDF - it will likely be an ugly hack... >> >> I think there has to be some adjustments to the "trap all" behavior of >> the current fix. > > Doh, good point. We should only require the form token on POST > requests that have on of the content-types "application/x-www-form- > urlencoded" and "multipart/form-data".
I'm not sure we can trust the content-type. I took a quick look at the FieldStorage code (in cgi.py) and it looks like would be possible for an attacker to circumvent this by: 1. Doing a POST request without any content-type at all. 2. Setting content-type to "multipart/whatever" (There might be other ways since the code is a little bit difficult to follow.) So if we're going down this road we really need to audit the FieldStorage class to make sure there is no way to get around it. Even better (safer) would be to go with Shun-ichi Goto's original suggestion and only disable the token validation for known safe content types such as text/xml. Another option would be to add a way for plugins to disable this check on a per request basis. But I have no idea on how this would best be implemented. Cheers, Jonas --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
