Mercurial > p > roundup > code
diff doc/xmlrpc.txt @ 5219:ade4bbc2716d
Update the xmlrpc documentation for use with the CSRF defenses.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 27 Mar 2017 23:04:30 -0400 |
| parents | 47cc50617e19 |
| children | 14d8f61e6ef2 |
line wrap: on
line diff
--- a/doc/xmlrpc.txt Mon Mar 27 22:37:30 2017 -0400 +++ b/doc/xmlrpc.txt Mon Mar 27 23:04:30 2017 -0400 @@ -107,7 +107,9 @@ sample python client ==================== -:: + +This client will work if you turn off the x-requested-with header and +the only CSRF header check you require is the HTTP host header:: >>> import xmlrpclib >>> roundup_server = xmlrpclib.ServerProxy('http://admin:admin@localhost:8917/demo/xmlrpc', allow_none=True) @@ -136,3 +138,34 @@ [] >>> roundup_server.lookup('user','admin') '1' + +The one below adds Referer and X-Requested-With headers so it can pass +stronger CSRF detection methods. Note if you are using http rather +than https, replace xmlrpclib.SafeTransport with xmlrpclib.Transport:: + + import xmlrpclib + + class SpecialTransport(xmlrpclib.SafeTransport): + + def send_content(self, connection, request_body): + + connection.putheader("Referer", "https://localhost/demo/") + connection.putheader("Origin", "https://localhost") + connection.putheader("X-Requested-With", "XMLHttpRequest") + + connection.putheader("Content-Type", "text/xml") + connection.putheader("Content-Length", str(len(request_body))) + connection.endheaders() + if request_body: + connection.send(request_body) + + roundup_server = xmlrpclib.ServerProxy( + 'https://admin:admin@localhost/demo/xmlrpc', + transport=SpecialTransport(), + verbose=False, + allow_none=True) + + print roundup_server.schema() + print roundup_server.display('user2', 'username') + print roundup_server.display('issue1', 'status') + print roundup_server.filter('user',['1','2','3'],{'username':'demo'})