Thanks for the hints. Yes, it's an interaction of the form plugins and the CSRF filter. Using the FileUpload package for handling form parameters means it can only be done once, and then request.getParameter(...) won't work afterwards. While I can work around that for my purposes, it also interferes with the AttachmentServlet (which also wants to parse the request). So it gets messy quickly; I'll have to pursue some other approach.
On Sun, Jul 7, 2024 at 10:57 PM Juan Pablo Santos Rodríguez < juanpablo.san...@gmail.com> wrote: > Hi! > > first message did get sent, in my case wasn't unable to answer back until > now. > > CsrfProtectionFilter[#1] is a filter that is put in place to avoid > CSRF attacks. It basically expects to find a hidden input field > carrying the user's session id, so all of our forms carry a custom > tag[#2] (eg. [#3]) that does precisely that. AttachmentTab[#4] > contains a multipart form, contains the tag and works. If you got that > message, it means that either the WikiSession doesn't the csrf token > or it isn't present on the request. As the first is generated on > WikiSession creation, what parameters come with the request? perhaps > the requestContainsValidCsrfToken method on CsrfProtectionFilter needs > further refinement for this kind of cases? > > HTH, > juan pablo > > > [#1]: > https://github.com/apache/jspwiki/blob/master/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java > [#2 > <https://github.com/apache/jspwiki/blob/master/jspwiki-http/src/main/java/org/apache/wiki/http/filter/CsrfProtectionFilter.java%5B#2>]: > > https://github.com/apache/jspwiki/blob/master/jspwiki-main/src/main/java/org/apache/wiki/tags/CsrfProtectionTag.java > [#3 > <https://github.com/apache/jspwiki/blob/master/jspwiki-main/src/main/java/org/apache/wiki/tags/CsrfProtectionTag.java%5B#3>]: > > https://github.com/apache/jspwiki/blob/master/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp#L123 > [#4 > <https://github.com/apache/jspwiki/blob/master/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp#L123[%234>]: > > https://github.com/apache/jspwiki/blob/master/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp#L47 > > On Fri, Jul 5, 2024 at 12:40 PM Ulf Dittmer > <ulf.ditt...@googlemail.com.invalid> wrote: > > > > Hi- > > > > I haven't actually seen this message go out to the mailing list, but I've > > come a bit further in implementing this - which, naturally, throws up > > different problems :-) > > > > So far I have 1) extended FormUtil to handle file uploads (using Apache > > Commons FileUpload), and 2) extended FormOpen to take an "enctype" > > parameter (because forms containing file uploads need > multipart/form-data). > > > > At this point, the form submit causes an "o.a.w.h.f.CsrfProtectionFilter > - > > Incorrect X-XSRF-TOKEN param with value 'null' received for null" error, > > even though the CSRF token is present and submitted. My guess is that the > > form handling by the FileUpload library somehow interferes with CSRF > token > > handling, although I can't imagine how. > > > > Can anyone provide some idea of what might be (or might not be) going on? > > > > Thanks > > Ulf > > > > ---------- Forwarded message --------- > > From: Ulf Dittmer <ulf.ditt...@googlemail.com> > > Date: Wed, Jul 3, 2024 at 9:58 AM > > Subject: WikiFormsPlugin with file input? > > To: <user@jspwiki.apache.org> > > > > > > I want to implement a simple file upload solution for users of a JSPWiki > > site, and was wondering what the easiest way to go about this might be. > The > > FormInput plugin can create file input elements, but obviously that won't > > work as the parameters are passed in a Map<String,String>. > > > > Has anyone implemented something like this, or is aware of > > a WikiFormsPlugin extension that can do this? > > > > The end result would be a simple way for users to upload files along with > > keywords for a simple file storage and retrieval solution. The files > would > > not be associated to particular pages, so using attachments would not > > really work. > > > > Thanks > > Ulf >
