This question about Upgrading from TWiki to Foswiki: Needs followup in Tasks

Attachments via bin/upload and curl no longer possible?

I've got an application which uses the bin/upload cgi app to upload attachments to topics. The equivalent curl invocation is
curl -n -F'filepath=@/etc/motd' 'http://jeeves.cfa.harvard.edu/cxcoptics/bin/upload/Sandbox/TestTopic0'

This worked under TWiki 4.2.3, but when I attempt the same under Foswiki 1.0.7, no file is uploaded and I get redirected to /bin/login. I've verified that it's properly authenticating by successfully reading the page using bin/view.

If I run the following command attaching to a Foswiki server,

curl --cookie-jar cookies -n -F'filepath=@/etc/motd' -F'noredirect=1' --verbose 'http://jeeves.cfa.harvard.edu/cxcoptics/bin/upload/Sandbox/TestTopic0'

I get
* About to connect() to jeeves.cfa.harvard.edu port 80 (#0)
*   Trying 131.142.185.140... connected
* Connected to jeeves.cfa.harvard.edu (131.142.185.140) port 80 (#0)
* Server auth using Basic with user 'DiabJerius'
> POST /cxcoptics/bin/upload/Sandbox/TestTopic0 HTTP/1.1
> Authorization: Basic #############################
> User-Agent: curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.10
> Host: jeeves.cfa.harvard.edu
> Accept: */*
> Content-Length: 762
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=----------------------------e49e4697875a
> 
< HTTP/1.1 100 Continue
< HTTP/1.1 302 Found
< Date: Sat, 07 Nov 2009 21:44:42 GMT
< Server: Apache/2.2.3 (Debian) DAV/2 mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch15 mod_perl/2.0.2 Perl/v5.8.8
< X-Foswikiuri: /cxcoptics/bin/upload/Sandbox/TestTopic0
< X-Foswikiaction: upload
* Added cookie FOSWIKISID="05da967de50d7b4c93ca41ece7893bf2" for domain jeeves.cfa.harvard.edu, path /, expire 0
< Set-Cookie: FOSWIKISID=05da967de50d7b4c93ca41ece7893bf2; path=/
< Location: /cxcoptics/bin/login/Sandbox/TestTopic0?foswiki_redirect_cache=04728a18bd598436095691cf96f52cd4
< Content-Length: 0
< Content-Type: text/html; charset=ISO-8859-1
< 
* Connection #0 to host jeeves.cfa.harvard.edu left intact
* Closing connection #0

Notice the redirect to bin/login. I've tracked the behavior to this call in UI::Upload::_upload
Foswiki::UI::checkValidationKey( $session, 'upload', $webName, $topic );

which throws a Foswiki::ValidationException, which is caught in UI::_execute and redirects to the login page. My site has
$Foswiki::cfg{Validation}{Method} = 'strikeone';

This has got me stumped. How might I proceed from here?

Thanks!

-- DiabJerius - 07 Nov 2009

The strikeone validation method prevents cross site request forgeries. You can't just POST data any more. With {Validation}{Method} = strikeone, you will need to study strikeone.js and duplicate its behaviour in your upload script.

Or, you need to use less secure {Validation}{Method} which you're able to adapt your upload script to.

-- PaulHarvey - 09 Nov 2009

Thanks. Here's what I've done to make things work with strikeone. If you can suggest improvements, please do so. The somewhat kludgy nature of this is that I somehow need to get the validation key, which as far as I can tell is only generated when a form is generated.

  1. Download http://server/bin/attach/Web/Topic
  2. Extract the validation key from the generated upload form and the secret from the FOSWIKISTRIKEONE cookie
  3. Modify the validation key as per strikeone.js
  4. Submit the form.

I'm using WWW::Mechanize for this, so it's not too painful. I dislike step 2, as there's no written API guaranteeing that the form name (main) and validation key field (validation_key) won't change in the future. It just feels too Web 1.0.

Is there a cleaner way of getting the validation key? If not, might I suggest a future enhancement which would avoid the requirement to screen-scrape the form?

Thanks.

-- DiabJerius - 09 Nov 2009

BuildContrib is able to attach to topics, as that is how Plugins are released. I don't know the code, but maybe you can look through it and find out how it works. I just had a look at the code, and it does much the same as you do but scrapes the edit script instead of the upload.

I think submitting an feature request would be a good idea, just to get some discussion on this.

-- AndrewJones - 09 Nov 2009

For completeness, the application can be pulled from the mercurial source repository or as an installable tarball.

-- DiabJerius - 09 Nov 2009

Excellent stuff. I have added the InterfacingWithValidationMethods feature proposal, please add your input there. Feel free to suggest a specification that you could have used.

I'll finish solving my current work-arounds to strikeone (Eg. Tasks.Item8323) before thinking about a spec that I would like to use.

-- PaulHarvey - 10 Nov 2009

QuestionForm edit

Subject Upgrading from TWiki to Foswiki
Extension
Version Foswiki 1.0.7
Status Needs followup in Tasks
Topic revision: r7 - 10 Nov 2009, PaulHarvey - This page was cached on 16 Oct 2018 - 16:17.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy