curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Aw: Re: Transmitting csrf-token in the body

From: jetrca via curl-users <>
Date: Wed, 3 Feb 2021 11:47:09 +0100

Dear Daniel,
Thank you for your response.

It is an edit token as decribed here:
The API-documentation for action=edit can be found here:

Essentially, I am following this guidance:
I have been able to login and then edit a page according to section 2.1 of the guidance with this code:
curl --cookie tmp/COOKIE_JAR \
     --cookie-jar tmp/COOKIE_JAR \
     --data-urlencode "title=User:Jetrca/Playground" \
     --data-urlencode "prependtext=Versuch" \
     --data-urlencode $csrf \

$csrf contains:
(one difference to the guidance above was that I had to escape the & in the last line to get it function)
Oddly enough, if I write the token explicitely instead via $csfr, I have to escape the final \:
Otherwise I get a badtoken-error
If I try to accomplish target 2.2 of the guidance with this code:

curl --cookie COOKIE_JAR \
     --cookie-jar COOKIE_JAR \
     --form "filename=test.jpg" \
     --form "file=_at_bilder/zionino.jpg" \
     --form "ignorewarnings=1" \
     --form "token= \

then mediawiki throws a badtoken error. I have tried:
--form $csrf \ (badtoken)
--form token=56fd197b14494ae602331fc8516ee282601a69d8+\ \ (badtoken)
--form "token=56fd197b14494ae602331fc8516ee282601a69d8+\" \ (Syntaxfehler: Unerwartetes Dateiende)
--form "token=$(<tmp/csrf_pur)" \ (badtoken)
--form "token=6e5dee0d7b64ac58a6a0927cd23f82a7601a732c+\\" \ (badtoken)
--form "token=6e5dee0d7b64ac58a6a0927cd23f82a7601a732c\+\\" \ (badtoken)
--form token=56fd197b14494ae602331fc8516ee282601a69d8+\\ \ (badtoken)
--form token=56fd197b14494ae602331fc8516ee282601a69d8\+\\ \ (badtoken)

"What exactly is this "token" ? Is it part of the request body, is it a header or is it a cookie?"
My guess is that it is part of the request body, because if I change the first (functioning) request to

curl --cookie tmp/COOKIE_JAR \
     --cookie-jar tmp/COOKIE_JAR \
     --data-urlencode "title=User:Jetrca/Playground" \
     --data-urlencode "prependtext=Versuch" \

then the reply is:
{"error":{"code":"mustpostparams","info":"The following parameter was found in the query string, but must be in the POST body: token.","*":"See for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;; for notice of API deprecations and breaking changes."}}
But honestly, I don't know the answer.

I hope, this has been enough background for helping me.
If today's problem can be solved, I will very likely be able to solve the problem from my first mail analogously.
Thank you for your help.
P.s.: Off course this token is now obsolete ;) 

Gesendet: Dienstag, 02. Februar 2021 um 17:10 Uhr
Von: "Daniel Stenberg via curl-users" <>
An: "jetrca via curl-users" <>
Cc: "Daniel Stenberg" <>,
Betreff: Re: Transmitting csrf-token in the body
On Sun, 31 Jan 2021, jetrca via curl-users wrote:

> I am trying to import an XML-dump into a mediawiki installation.


> Can you please tell me how to transmit the token?

No we can't unless you give us a more specific instruction. What exactly is
this "token" ? Is it part of the request body, is it a header or is it a

| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
Received on 2021-02-03