Item6270: REST upload requires http POST method error in upload via paperclip icon in TinyMCEPlugin

TWiki:Main.AJAlfieriCrispin

This is a bug introduce by security fix Item6251, CSRF vulnerability CVE-2009-1339.

-- TWiki:Main/PeterThoeny - 01 Jun 2009

Invested some time on this -

 my $query = TWiki::Func::getCgiQuery();

The $query gets value <method />

we are passing method post through the form written at

/pub/TWiki/TinyMCEPlugin/tinymce/jscripts/tiny_mce/plugins/twikibuttons/attach.htm

point is - resthandler is not passing exact cgi-query

-- TWiki:Main.SopanShewale - 02 Jun 2009

wrong method name on cgi object, fixed the issue

-- TWiki:Main.SopanShewale - 03 Jun 2009

Will there be a patch for this, or is there something simple I can edit to fix? Thanks!

-- TWiki:Main.AJAlfieriCrispin - 08 Jun 2009

Here we go:

Modified: twiki/branches/TWikiRelease04x03/twikiplugins/WysiwygPlugin/lib/TWiki/Plugins/WysiwygPlugin.pm
===================================================================
--- twiki/branches/TWikiRelease04x03/twikiplugins/WysiwygPlugin/lib/TWiki/Plugins/WysiwygPlugin.pm   2009-05-20 16:51:04 UTC (rev 18082)
+++ twiki/branches/TWikiRelease04x03/twikiplugins/WysiwygPlugin/lib/TWiki/Plugins/WysiwygPlugin.pm   2009-06-03 13:05:18 UTC (rev 18083)
@@ -744,7 +744,7 @@
    my ($session, $plugin, $verb, $response) = @_;
    my $query = TWiki::Func::getCgiQuery();

-    if( $query && $query->method() !~ /^POST$/i ) { 
+    if( $query && $query->request_method() !~ /^POST$/i ) { 
        returnRESTResult( $response, 405, 'REST upload requires http POST method' ); 
        return undef; 
    }

(thanks Sopan)

-- TWiki:Main.PeterThoeny - 08 Jun 2009

Thanks kindly to you both!

-- TWiki:Main.AJAlfieriCrispin - 10 Jun 2009

Closing this one

-- TWiki::Main.SopanShewale - 12 Oct 2009