-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plone4.csrffixes security HotFix issue #52
Comments
plone.protect or plone4.csrffixes is wrapping the response of the @@quick_upload_file POST request. instead of just the plain json it returns some html. w/o csrf protection: {"title": "some file", "uid": "a768d231a76b4369bbc800f8834c2313", "success": true, "name": "some-file.jpg"} w csrf protection <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body>
<p>{"title": "some file", "uid": "a768d231a76b4369bbc800f8834c2313", "success": true, "name": "some-file.jpg"}</p>
<script src="http://intranet.smartline.aero/++resource++protect.js" type="text/javascript" id="protect-script" data-token="a66d49fd833c9927a40c082896d2ae45557e59d2" data-site-url="http://intranet.smartline.aero"></script></body></html> |
Make sure that that response has its Content-Type header explicitly set to application/json |
It happens with plone.protect 3.0.11 which is required for plone4.csrffixes. Setting the content type to json properly causes a different failure in IE <= 9, but I'd say it's still better than what we have now. See pull request #53 |
Hi all, Im experieincing the same issues, I'm using the following config: Plone version 4.3.2 eggs Version I already tried the fix changing text/html to application/json for quick_upload.py |
Hi all, Vito |
@vito80ba and @alainschumi a new release is on the way - see #53 |
thank's @frisi |
release 1.8.1 should work on sites with plonehotfix20150910 installed. |
Good afternoon,
A couple of days back the following security HotFix was released to fix CSRF problems in Plone.
https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf
It appears that this HotFix interferes with collective.quickupload. While file uploads complete the quickupload dialogue box always reports "Failed".
I am able to reproduce this problem on a vanilla Plone 4.3.7 site with:
Is a workaround or fix possible? Thanks.
The text was updated successfully, but these errors were encountered: