Download
Browse source Changelog tiny-curl
Documentation
Project   Bug Bounty FAQ   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Videos Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Aw: Re: Transmitting csrf-token in the body

From: jetrca via curl-users <curl-users_at_cool.haxx.se>
Date: Wed, 3 Feb 2021 11:47:09 +0100

Dear Daniel,
Thank you for your response.

It is an edit token as decribed here:
https://www.mediawiki.org/wiki/Manual:Edit_token
The API-documentation for action=edit can be found here:
https://www.mediawiki.org/wiki/API:Edit/de#API-Dokumentation

 
Essentially, I am following this guidance:
https://siko1056.github.io/blog/2017/03/10/getting-to-know-the-mediawiki-api.html
 
I have been able to login and then edit a page according to section 2.1 of the guidance with this code:
 
curl --cookie tmp/COOKIE_JAR \
     --cookie-jar tmp/COOKIE_JAR \
     --data-urlencode "title=User:Jetrca/Playground" \
     --data-urlencode "prependtext=Versuch" \
     --data-urlencode $csrf \
     ${WIKI}/api.php?action=edit\&format=json

$csrf contains:
token=56fd197b14494ae602331fc8516ee282601a69d8+\
(one difference to the guidance above was that I had to escape the & in the last line to get it function)
Oddly enough, if I write the token explicitely instead via $csfr, I have to escape the final \:
"token=56fd197b14494ae602331fc8516ee282601a69d8+\\"
Otherwise I get a badtoken-error
 
If I try to accomplish target 2.2 of the guidance with this code:

curl --cookie COOKIE_JAR \
     --cookie-jar COOKIE_JAR \
     --form "filename=test.jpg" \
     --form "file=_at_bilder/zionino.jpg" \
     --form "ignorewarnings=1" \
     --form "token= \
     ${WIKI}/api.php?action=edit\&format=json 

then mediawiki throws a badtoken error. I have tried:
--form $csrf \ (badtoken)
--form token=56fd197b14494ae602331fc8516ee282601a69d8+\ \ (badtoken)
--form "token=56fd197b14494ae602331fc8516ee282601a69d8+\" \ (Syntaxfehler: Unerwartetes Dateiende)
--form "token=$(<tmp/csrf_pur)" \ (badtoken)
--form "token=6e5dee0d7b64ac58a6a0927cd23f82a7601a732c+\\" \ (badtoken)
--form "token=6e5dee0d7b64ac58a6a0927cd23f82a7601a732c\+\\" \ (badtoken)
--form token=56fd197b14494ae602331fc8516ee282601a69d8+\\ \ (badtoken)
--form token=56fd197b14494ae602331fc8516ee282601a69d8\+\\ \ (badtoken)

"What exactly is this "token" ? Is it part of the request body, is it a header or is it a cookie?"
My guess is that it is part of the request body, because if I change the first (functioning) request to

curl --cookie tmp/COOKIE_JAR \
     --cookie-jar tmp/COOKIE_JAR \
     --data-urlencode "title=User:Jetrca/Playground" \
     --data-urlencode "prependtext=Versuch" \
     ${WIKI}/api.php?action=edit\&format=json\&token=56fd197b14494ae602331fc8516ee282601a69d8+\

then the reply is:
{"error":{"code":"mustpostparams","info":"The following parameter was found in the query string, but must be in the POST body: token.","*":"See https://wiki3.railml.org/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes."}}
But honestly, I don't know the answer.

I hope, this has been enough background for helping me.
If today's problem can be solved, I will very likely be able to solve the problem from my first mail analogously.
Thank you for your help.
Jetrca
 
P.s.: Off course this token is now obsolete ;) 

Gesendet: Dienstag, 02. Februar 2021 um 17:10 Uhr
Von: "Daniel Stenberg via curl-users" <curl-users_at_cool.haxx.se>
An: "jetrca via curl-users" <curl-users_at_cool.haxx.se>
Cc: "Daniel Stenberg" <daniel_at_haxx.se>, knurz_at_gmx.at
Betreff: Re: Transmitting csrf-token in the body
On Sun, 31 Jan 2021, jetrca via curl-users wrote:

> I am trying to import an XML-dump into a mediawiki installation.

...

> Can you please tell me how to transmit the token?

No we can't unless you give us a more specific instruction. What exactly is
this "token" ? Is it part of the request body, is it a header or is it a
cookie? 

--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users[https://cool.haxx.se/list/listinfo/curl-users]
Etiquette: https://curl.haxx.se/mail/etiquette.html[https://curl.haxx.se/mail/etiquette.html]
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2021-02-03