Am 10.11.2006 um 14:06 schrieb osimons: > However, just found a new issue with the XML-RPC plugin not working > anymore - it now gives off a 500 Internal Server Error for all > requests. > I tested it on 0.10 ten seconds before upgrade, and same lines after > upgrade gives error. > > My initial thought is with the new security fix that traps POST forms > going out, and all POST request coming in requiring a token. I quickly > scanned xmlrpclib.py, and see that they also use POST to send > requests. > > I also had another issue with our custom 'AJAX' navigation that posts > through an XmlHttpRequest to populate a list of projects where a user > has access. That I managed to get around by changing to GET as I > wasn't > actually posting any paramters. I am stuck for how to implement new > such > features that require POST without access to a token from the client > side, or even from template HDF - it will likely be an ugly hack... > > I think there has to be some adjustments to the "trap all" behavior of > the current fix.
Doh, good point. We should only require the form token on POST requests that have on of the content-types "application/x-www-form- urlencoded" and "multipart/form-data". Cheers, Chris -- Christopher Lenz cmlenz at gmx.de http://www.cmlenz.net/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
