python - tornado.web.stream_request_body: _xsrf missing error even with _xsrf input within html -


utilizing tornado library within python have come across unusual error. seems when have decorated file upload handler '@tornado.web.stream_request_body' webserver throws error:

warning:tornado.general:403 post /upload (ip-address): '_xsrf' argument missing post warning:tornado.access:403 post /upload (ip-address) 1.44ms

the code governing upload follows:

@tornado.web.stream_request_body class upload(basehandler):     def prepare(self):         print self.request.headers      def data_received(self,chunk):         print chunk      @tornado.web.authenticated     def post(self):         self.redirect("/")

where basehandler web.requesthandler subclass various helper functions (retrieving user info cookies , whatnot).

within html template, have appropriate xsrf function call seen here:

<form enctype="multipart/form-data" action="/upload" method="post" id="upload_form" class="form-upload">     {% raw xsrf_form_html() %}     <input type="file" name="upfile" required/>     <button class="btn btn-lg btn-primary btn-block-submit" type="submit">submit</button> </form>

and generating proper xsrf input within browser:

<form enctype="multipart/form-data" action="/upload" method="post" id="upload_form" class="form-upload">     <input type="hidden" name="_xsrf" value="2|787b7c6e|4a82eabcd1c253fcabc9cac1e374e913|1430160367"/>     <input type="file" name="upfile" required/>     <button class="btn btn-lg btn-primary btn-block-submit" type="submit">submit</button> </form>

when turn off xsrf_cookies within webserver settings, , functions normal. feel not ideal.

while xsrf_cookies set false, if given text file called "stuff.txt" body of "testfile" output is:

------webkitformboundary4ihkiqungfqverrb content-disposition: form-data; name="_xsrf"  2|787b7c6e|4a82eabcd1c253fcabc9cac1e374e913|1430160367 ------webkitformboundary4ihkiqungfqverrb content-disposition: form-data; name="upfile"; filename="stuff.txt" content-type: text/plain  testfile ------webkitformboundary4ihkiqungfqverrb--

from output, guess xsrf value being captured stream_request_body , not passed appropriate xsrf validation class.

any on appreciated. thank in advance!

tornado not (as of version 4.1) support streaming multi-part uploads. means uploads wish stream must simple puts, instead of post mixes uploaded data other form fields _xsrf. use xsrf protection in scenario must pass xsrf token via http header (x-xsrf-token) instead of via form field. unfortunately incompatible non-javascript web form uploads; must have client capable of setting arbitrary http headers.


Comments

Post a Comment

Popular posts from this blog

python - Mongodb How to add addtional information when aggregating? -

i beginner , wrote line pipeline works, wanna add other information output, screen name , or number of tweets.i tried add under $group gave me syntax error everytime here pipeline: def make_pipeline(): # complete aggregation pipeline pipeline = [ { '$match': { "user.statuses_count": {"$gt":99 }, "user.time_zone": "brasilia" } }, { "$group": { "_id": "$user.id", "followers": { "$max": "$user.followers_count" } } }, { "$sort": { "followers": -1 } }, { "$limit" : 1 } ]; i using on example : { "_id" : objectid("5304e2e3cc9e684aa98bef97"), "text" : "first week of school on :p", "in_reply_to_status_id" : null, "retweet_count" : null, ...
Read more

java - Spring Data JPA: Why findOne(id) executing delete query internally? -

i have 1 application using @manytomany annotation link 2 different entities 1 parent entity. not sure if have implemented properly. when execute .findone() on parent entity's repository find it, @ first fetch data along executing delete queries internally delete record mapping table (a table jpa creates after adding @manytomany annotation.). following generated sql queries , code snippet: java class @entity @table(name = "inventory") public class inventory { @id long id; // many other properties @manytomany(fetch=fetchtype.lazy) private list<stream> streams; @manytomany(fetch=fetchtype.lazy) private list<subject> subjects; } there no other annotation i've put in stream , subject entity class link inventory class. when run app, create following tables: inventory stream subject inventory_stream inventory_subject (inventory_stream , inventory_subject, 2 tables created automatically, don't k...
Read more

java - Incorrect order of records in M-M relationship in hibernate -

Image
i have 4 records in bridge table in mysql database. using @manytomany in hibernate, accurate order of employees incorrect incorrect of projects. following required material figure out doing mistake. this source. @entity @table(name="project") public class projectbean { @id @generatedvalue @column(name="project_id") private int projectid; @column(name="title") private string projecttitle; @manytomany(mappedby="projects") private collection<employeebean> employees; public projectbean() { employees = new arraylist<employeebean>(); } //getters & setters } @entity @table(name="employee") public class employeebean { @id @generatedvalue @column(name="employee_id") private int employee_id; @column(name="first_name") private string ...
Read more