Problem/Motivation
Because the populaton of the $_SERVER environment variable is not standardized across all web servers, the HTTP_X_CSRF_TOKEN may not be in $_SERVER, causing authentication to fail for PUT and POST operations. The function "getallheaders()" which is an alias of "apache_request_headers()" will return the full set of headers, which can be used in the case of a server that does not populate $_SERVER['HTTP_X_CSRF_TOKEN'].
I have observed this behavior on Ubuntu 14.04 and 16.04 installs. I am more than willing to have someone who has succeeded in getting POST/PUT to work on Ubuntu/Apache2.4 out of the box, but I sure can't seem to do it without this patch. Given that this prevents REST CRUD on a very popular platform this is marked as Critical. I also note that Drupal 8, which gets apache headers using Symfony is possibly also affected by this (related issue coming) since Symfony also relies on the $_SERVER super-global (see: https://github.com/symfony/symfony/issues/9295).
Proposed resolution
- I think that there are potentially a few options to addressing this, one in module code, the others possibly in configuration directives. The first option listed below pertains to the patch offered in #6.
- Call getallheaders() as well as $_SERVER to determine if HTTP_X_CSRF_TOKEN is set (aka apache_request_headers)
- Include web server specific instructions for insuring that HTTP_X_CSRF_TOKEN in .htaccess or apache.conf files.
- Refer to issue in README and recommend server specific .htaccess directives (I unsuccessfully tried adding this "".
Remaining tasks
- Propose fixes
- Test module patch for module code approach that users getallheaders()
- Decide on best fix
- User testing
User interface changes
n/a
API changes
n/a
Data model changes
n/a
Does anyone have tips on RestWS on Ubuntu 16.04 with Apache 2.4? Having a ton of trouble with an Ubuntu 16.04 system with Apache 2.4. Anyhow, I can GET successfully, but not POST, even though the restws user has the proper permissions. Or rather, I just migrated my entire drupal install from CentOS 6 to Ubuntu 16.04 and so all configs are the same. Restws was working great on CentOS 6, but now I can't seem to write anything.
This issue may be moot if I am following the wrong CleanURLs config guidelines, so for what it's worth see Enable CleanURLs and and CleanURLs on Ubuntu.
Comment | File | Size | Author |
---|---|---|---|
#6 | use-getallheaders-to-validate-csrf-token-28848449-06.patch | 868 bytes | robertwb |
Comments
Comment #2
robertwb CreditAttribution: robertwb commentedComment #3
robertwb CreditAttribution: robertwb commentedComment #4
robertwb CreditAttribution: robertwb commentedComment #5
robertwb CreditAttribution: robertwb commentedComment #6
robertwb CreditAttribution: robertwb commentedComment #7
robertwb CreditAttribution: robertwb commentedComment #8
clarencel CreditAttribution: clarencel commentedI was able to get this working for a while, but for some reason after adding a local module of my own the X-CSRF-Token stopped being sent in the headers. This is on Ubuntu/Apache and I think may very well have something to do with the Clean URLs not passing the X-CSRF-Token in some cases.
Did you check your browser developer tools -> network tab? I thought $_SERVER wasn't populated until I checked there and saw it wasn't even being sent. Then I removed a certain module and it was being sent, extremely odd.