plone4.csrffixes security HotFix issue

[dpc22]

Good afternoon,

A couple of days back the following security HotFix was released to fix CSRF problems in Plone.

https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf

It appears that this HotFix interferes with collective.quickupload. While file uploads complete the quickupload dialogue box always reports "Failed".

I am able to reproduce this problem on a vanilla Plone 4.3.7 site with:

 eggs=
  plone4.csrffixes==1.0.5
  collective.quickupload==1.8.0

 [versions]
 plone.protect = 3.0.14
 plone.keyring = 3.0.1
 plone.locking = 2.0.8
 cssselect = 0.9.1

Is a workaround or fix possible? Thanks.

[frisi]

plone.protect or plone4.csrffixes is wrapping the response of the @@quick_upload_file POST request.

instead of just the plain json it returns some html.

w/o csrf protection:

{"title": "some file", "uid": "a768d231a76b4369bbc800f8834c2313", "success": true, "name": "some-file.jpg"}

w csrf protection

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body>
<p>{"title": "some file", "uid": "a768d231a76b4369bbc800f8834c2313", "success": true, "name": "some-file.jpg"}</p>
<script src="http://intranet.smartline.aero/++resource++protect.js" type="text/javascript" id="protect-script" data-token="a66d49fd833c9927a40c082896d2ae45557e59d2" data-site-url="http://intranet.smartline.aero"></script></body></html>

[davisagli]

Make sure that that response has its Content-Type header explicitly set to application/json

[reinhardt]

It happens with plone.protect 3.0.11 which is required for plone4.csrffixes.

Setting the content type to json properly causes a different failure in IE <= 9, but I'd say it's still better than what we have now.

See pull request #53

[alainschumi]

Hi all,

Im experieincing the same issues, I'm using the following config:

Plone version 4.3.2

eggs
collective.quickupload == 1.8.0
plone4.csrffixes==1.0.6

Version
plone.protect = 3.0.14
plone.keyring = 3.0.1
plone.locking = 2.0.8

I already tried the fix changing text/html to application/json for quick_upload.py
this works for me too.

[vito80ba]

Hi all,
I'm also experimenting this messages in the portlet.
Plone 4.2
Collective.quickupload 1.8

Vito

[frisi]

@vito80ba and @alainschumi a new release is on the way - see #53
you can use the content-type-json branch to fix the problem (for IE9 you'll still see an error - see #53 (comment))

[vito80ba]

thank's @frisi

[puittenbroek]

1fefc10 Fixes this issue IIRC, see also #53

[frisi]

release 1.8.1 should work on sites with plonehotfix20150910 installed.
on IE9 you'll still get a "failed" message for uploads (that acutally worked) - see #53 (comment)