Message8255
Hi Christof:
Thanks for the report. I don't see that issue current devel.
What version of Roundup are you running?
How are you running it (cgi, wsgi, proxy to roundup-server)?
This info may indicate that this has been fixed already or that my tests are invalid.
Line 1691
(https://sourceforge.net/p/roundup/code/ci/default/tree/roundup/cgi/client.py#l1691)
in the current development client.py is the same line you reference in your issue I think.
If I run your curl command (setting a few extra headers (Origin, Referer etc. to pass
checks) I get:
> roundup/cgi/client.py(1691)handle_csrf()
-> if '@csrf' in self.form:
(Pdb) p self.form
FieldStorage(None, None, b'test')
and I don't get the exception. Can you tell me what self.form is set to
when running your code?
There is code earlier in handle_csrf (around devel line 1515) that reads:
# Assume: never allow changes via GET
if self.env['REQUEST_METHOD'] not in ['POST', 'PUT', 'DELETE']:
if (self.form.list is not None) and ("@csrf" in self.form):
so it looks like a GET can result in self.form.list set to None. (Although
curl -X GET https://tracker.com/tracker/ -H "Content-Type: text/plain" has
self.form.list set to a FieldStorage.)
Apparently I thought self.form.list would always be a FieldStorage
object with POST, PUT, DELETE. My testing seems to indicate that's
the case.
Even:
curl -X DELETE https://tracker.com/tracker/ -H "Content-Type: text/plain"
has self.form.list equal to a FieldStorage.
Further info or thoughts? Thanks. |
|
| Date |
User |
Action |
Args |
| 2025-01-11 16:54:10 | rouilj | set | messageid: <1736614450.43.0.255397103906.issue2551387@roundup.psfhosted.org> |
| 2025-01-11 16:54:10 | rouilj | set | recipients:
+ rouilj, cmeerw |
| 2025-01-11 16:54:10 | rouilj | link | issue2551387 messages |
| 2025-01-11 16:54:09 | rouilj | create | |
|