Closed vstinner closed 4 years ago
Example of Roundup code which raises the error: https://hg.python.org/tracker/roundup/rev/44f7e6b958fe
This appears to be an issue of compatibility with the roundup.cgi.wsgi_handler
and Gunicorn. It was triggered by moving from the builtin roundup-server
for running the web service to gunicorn
.
Code is looking for HTTP_X-REQUESTED-WITH
, but it appears that Gunicorn is populating the environment with HTTP_X_REQUESTED_WITH
.
I've temporarily disabled this check in https://github.com/python/psf-salt/commit/4807d2ae3a731471f996c65e3fe9aeeb3fe812ad, and verified that allows XMLRPC through.
I've temporarily disabled this check in python/psf-salt@4807d2a, and verified that allows XMLRPC through.
Thanks. I confirm that it works again the issue :-)
@ewdurbin this is a bug. See:
changeset: 5632:8e3df461d316
branch: maint-1.6
user: John Rouillard <rouilj@ieee.org>
date: Wed Feb 27 21:47:39 2019 -0500
files: CHANGES.txt roundup/cgi/client.py roundup/scripts/roundup_server.py
test/test_cgi.py
description:
issue2551023: Fix CSRF headers for use with wsgi and cgi. The
env variable array used - separators rather than _. Compare:
HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
correct. Also fix roundup-server to produce the latter form. (Patch
by Cédric Krier)
The fix John pointed out has also been applied to Roundup 1.6.1 and since our fork has been upgraded to 1.6.1, this issue can be closed now:
https://github.com/psf/bpo-roundup/blob/68573d196f9a01786414d3b235252b9c857c3e08/CHANGES.TXT#L25-L29
My https://github.com/vstinner/python-security/ script download metadata of bugs.python.org issues using XML-RPC no longer works. I use it rarely, like once a month. So I'm not sure when it stopped working.
Example of Python 3 script:
Output:
I copied headers from http://roundup.sourceforge.net/docs/xmlrpc.html#advanced-python-client-adding-anti-csrf-headers Roundup XML-RPC documentation.
The "Migrating from 1.5.1 to 1.6.0" documentation says:
http://roundup.sourceforge.net/docs/upgrading.html#errors-and-troubleshooting-xmlrpc-required-header-missing
My script uses X-Requested-With. What are other required csrf headers (e.g. referer, origin) configured in config.ini?
Note: I simplified my script. My real script uses HTTP Basic authentication using login+password. But I don't think that it matters here.