Edgewall Software

Ticket #5940 (closed defect: worksforme)

Opened 15 months ago

Last modified 15 months ago

Chrome._add_form_token does not add tokens to forms generated by wiki macros

Reported by: ben@… Owned by: jonas
Priority: normal Milestone:
Component: general Version:
Severity: normal Keywords:
Cc:

Description

I wrote a wiki macro that inserts a simple HTML form into a wiki page. This form's method is POST, and therefore it should be given a CSRF form token. The current mechanism for automatically adding such a token (Chrome._add_form_token) does not appear to be catching forms generated by my wiki macro.

I traced through _add_form_token to see what's going on, and the problem appears to be that the stream that _add_form_token operates on does receive START/END events for XML tags inside the wiki page content; instead, the stream merely receives a single TEXT tag for the entire wiki page content, which means that any form tags inside the wiki page are not caught by _add_form_token.

This is what my log output shows: 

2007-08-28 18:10:21,881 Trac[chrome] DEBUG: DOCTYPE
2007-08-28 18:10:21,881 Trac[chrome] DEBUG: (u'html', u'-//W3C//DTD XHTML 1.0 Strict//EN', u'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd')
2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('wiki_view.html', 3, 55)
2007-08-28 18:10:21,882 Trac[chrome] DEBUG: START_NS
2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('', u'http://www.w3.org/1999/xhtml')
2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('wiki_view.html', 4, 0)

... much irrelevant output later...

2007-08-28 18:10:22,155 Trac[chrome] DEBUG: TEXT
2007-08-28 18:10:22,155 Trac[chrome] DEBUG: <h1>My test form</h1><form action="" method="post"></form>
2007-08-28 18:10:22,155 Trac[chrome] DEBUG: ('/opt/local/lib/python2.5/site-packages/Trac-0.11dev_r5904-py2.5.egg/trac/wiki/templates/wiki_view.html', 55, 9)

... more irrelevant output ...

Of course, I can work around this by explicitly inserting the form token from my macro's implementation, but this doesn't seem like it was intended to work this way.

I am using Trac 0.11dev-r5904

Attachments

Change History

Changed 15 months ago by cboos

  • status changed from new to closed
  • resolution set to worksforme

Later versions of the WikiEngine will not serialize streams or elements returned by macros, so any global filtering like the one done for adding the form token will just work.

In the meantime, I think you can just add the form token yourself (using req.form_token).

Add/Change #5940 (Chrome._add_form_token does not add tokens to forms generated by wiki macros)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
to The owner will change from jonas. Next status will be 'closed'
 
Note: See TracTickets for help on using tickets.