Hi! first message did get sent, in my case wasn't unable to answer back until now.
CsrfProtectionFilter[#1] is a filter that is put in place to avoid CSRF attacks. It basically expects to find a hidden input field carrying the user's session id, so all of our forms carry a custom tag[#2] (eg. [#3]) that does precisely that. AttachmentTab[#4] contains a multipart form, contains the tag and works. If you got that message, it means that either the WikiSession doesn't the csrf token or it isn't present on the request. As the first is generated on WikiSession creation, what parameters come with the request? perhaps the requestContainsValidCsrfToken method on CsrfProtectionFilter needs further refinement for this kind of cases? HTH, juan pablo [#1]: https://github.com/apache/jspwiki/blob/master/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java [#2]: https://github.com/apache/jspwiki/blob/master/jspwiki-main/src/main/java/org/apache/wiki/tags/CsrfProtectionTag.java [#3]: https://github.com/apache/jspwiki/blob/master/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp#L123 [#4]: https://github.com/apache/jspwiki/blob/master/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp#L47 On Fri, Jul 5, 2024 at 12:40 PM Ulf Dittmer <ulf.ditt...@googlemail.com.invalid> wrote: > > Hi- > > I haven't actually seen this message go out to the mailing list, but I've > come a bit further in implementing this - which, naturally, throws up > different problems :-) > > So far I have 1) extended FormUtil to handle file uploads (using Apache > Commons FileUpload), and 2) extended FormOpen to take an "enctype" > parameter (because forms containing file uploads need multipart/form-data). > > At this point, the form submit causes an "o.a.w.h.f.CsrfProtectionFilter - > Incorrect X-XSRF-TOKEN param with value 'null' received for null" error, > even though the CSRF token is present and submitted. My guess is that the > form handling by the FileUpload library somehow interferes with CSRF token > handling, although I can't imagine how. > > Can anyone provide some idea of what might be (or might not be) going on? > > Thanks > Ulf > > ---------- Forwarded message --------- > From: Ulf Dittmer <ulf.ditt...@googlemail.com> > Date: Wed, Jul 3, 2024 at 9:58 AM > Subject: WikiFormsPlugin with file input? > To: <user@jspwiki.apache.org> > > > I want to implement a simple file upload solution for users of a JSPWiki > site, and was wondering what the easiest way to go about this might be. The > FormInput plugin can create file input elements, but obviously that won't > work as the parameters are passed in a Map<String,String>. > > Has anyone implemented something like this, or is aware of > a WikiFormsPlugin extension that can do this? > > The end result would be a simple way for users to upload files along with > keywords for a simple file storage and retrieval solution. The files would > not be associated to particular pages, so using attachments would not > really work. > > Thanks > Ulf
