You are here: Foswiki>Tasks Web>Item1577 (15 Mar 2011, GeorgeClark)Edit Attach

Item1577: Possible side effects of fix against Cross-Site Request Forgery (CSRF)

pencil
Priority: Low
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Reported By: RonBeezer
Waiting For:
Last Change By: GeorgeClark
Trying to create a new topic via WebCreateNewTopic (Toolbox, Create new Topic) results in an error message "Bad Request: GET denied for manage".

This problem was not present up to version 1.0.4

Maybe a side effect of the fix against Cross-Site Request Forgery (CSRF)?

Occurences of method="get" in <form tags in Foswiki 1.0.5 (shipped version)

./pub/System/TinyMCEPlugin/tinymce/examples/
127:example_template.htm
./pub/System/JSCalendarContrib/
     58:test.php
     84:test.php
     59:simple-1.html
    105:simple-1.html
    129:simple-1.html
    160:simple-1.html
    189:simple-1.html
    218:simple-1.html
./data/Main/
    8:WikiGroups.txt
 ./data/System/
    4:SiteChanges.txt
    18:TopicDoesNotExistViewTemplate.txt
    20:SpreadSheetPlugin.txt
    16:LanguageSelector.txt 

Can method="get" in all cases simply be modified to method="post"?

There are form tags without method-declaration. These forms may use the get-method as default and may not work.

Example: In WebCreateNewTopicTemplate in had to replace
<form name="newtopicform" id="newtopicform" action="%SCRIPTURLPATH{manage}%/%BASEWEB%/">
by
<form name="newtopicform" id="newtopicform" action="%SCRIPTURLPATH{manage}%/%BASEWEB%/" method="post">
to bring WebCreateNewTopic back to work.
Other extensions may be affected.

-- RonBeezer - 06 May 2009

You do not say in which web your had the WebCreateNewTopic and WebCreateNewTopicTemplate.

We have method="post" in the WebCreateNewTopicTemplate in the System web. And it is only in the System web.

My guess is that you have at some point done your own tailored version - maybe back in an old TWiki version.

And if this is the case then you have to walk through these and add the method="post".

The other files you have listed - I doubt they are a problem. The method="post" is only required when it is a script targetting the save binary script or other scripts that saves data. You can still pass parameters to URLPARAM etc using GET.

It is also OK to use GET to the edit script. So for example WikiGroups still work with the GET because when you submit you end up in the edit window and not with a saved topic. It is done like this so you can add the group members before you save.

I will walk through your list later to be 100% sure but I would like the feedback with the answer to the question: "in which web did you correct WebCreateNewTopicTemplate?"

-- KennethLavrsen - 07 May 2009

It was the system web, WebCreateNewTopicTemplate.txt dated Jan 8., 2009. The version in the shipped Foswiki-1.0.5.zip is dated Apr 25., 2009. It think that there was a problem due to uprading from 1.0.4 to 1.0.5 using apt-get (our foswiki is running under ubuntu). The ./system/data folder was not updated. So it seems not to be a general problem.

-- RonBeezer

So the conclusion is that it was a local upgrade issue on your installation.

That matches my investigations. I have not found that we missed anything as I walked through the forms.

No Action Required. Thanks for reporting the bug anyway. Better with one bug report too many than one too few.

-- KennethLavrsen - 08 May 2009

or is it a DebianPackage issue?

-- WillNorris - 09 May 2009

Problem does not appear to have been recreated elsewhere - no activity for 2 years. Setting to No Action, re-open if still a problem.

-- GeorgeClark - 15 Mar 2011

ItemTemplate edit

Summary Possible side effects of fix against Cross-Site Request Forgery (CSRF)
ReportedBy RonBeezer
Codebase 1.0.5
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component
Priority Low
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
Topic revision: r6 - 15 Mar 2011, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy