MediaWiki

Topic on Project:Support desk

< Project:Support desk

SemanticForms: False positive warning about cross-site request forgery when submitting edit

29 comments • 18:55, 27 June 2016 8 years ago
29
71.126.252.82 (talkcontribs)

When creating my first property in a newly downloaded semantic (forms 2.7) system running on a mostly new 1.23.1 wiki (wiki.afterworld.ru). i get the following error when hitting save or preview.

"This appears to be a cross-site request forgery; canceling save."

so i went around now totally understand whats happening with CSRF and why its there and all that. But for the life of me i can not figure out how to fix the problem. I havent edited my core mediawiki files but looking at the editpage.php i can see what i expect is correct to allow tokens. "var $mTokenOk = false;" I can;t figure out of the problem is a forms problem or a wiki problem, but i see the code in the forms code for the error.

My question is, what have i done, or not done, to cause this error. Any hint to lead me in the right direction would be great. Thanks! --Dale>

Reply 16:26, 3 September 2014 10 years ago
MarkAHershberger (talkcontribs)

I was just involved in a discussion about CSRF and SemanticForms and Yaron said he took care of this in the latest version.

Maybe you can help us figure out how you are getting this?

Reply 16:45, 3 September 2014 10 years ago
71.126.252.82 (talkcontribs)

If latest version is 1.23.3 i have that ready to upgrade, but old time IT guy like me doesn't upgrade during a problem unless its a known fix. Shall I wait for Yaron here or open up a discussion on his page? Thanks!

Reply 16:50, 3 September 2014 10 years ago
MarkAHershberger (talkcontribs)

I was hoping he would respond to the mention of his name here (I think that is part of Echo), but he didn't.

You appear to be running the latest version of SemanticForms, so I don't think upgrading would help.

I've sent him an email asking him to come look at this.

Reply 23:48, 3 September 2014 10 years ago
MarkAHershberger (talkcontribs)

A start would be to tell us what is giving you that message: What browser are you using? Any browser extensions?

Reply 16:46, 3 September 2014 10 years ago
71.126.252.82 (talkcontribs)

A well IE 11.09 Chrome 37 both produced the same error. Also has done it on 3 machines with none of the same extensions installed on different versions of IE. So i eliminated the browser as the default problem. Do note that i'm machines live in a Active Directory Domain, which always could cause some sort of limitation that is hidden.

When i run the create a category page i get no such error and successfully created a category. I have not run a Create a Class or templateyet because i simply haven't gotten to that stage (I am learning all this semantic stuff this week)

Reply 18:08, 3 September 2014 10 years ago
71.126.252.82 (talkcontribs)

Note i did get a person to try it with a non-domain'ed machine in Chrome 37 and they got the same error (With my account). Which gives me the idea to try another account... will ask another admin to try.

Reply 18:20, 3 September 2014 10 years ago
71.126.252.82 (talkcontribs)
Reply 19:02, 3 September 2014 10 years ago
71.126.252.82 (talkcontribs)

Confirmed another admin level user had same problem.

Reply 20:14, 3 September 2014 10 years ago
Yaron Koren (talkcontribs)

Hi - that's too bad.

I should note that Echo didn't notify me! I don't know if it was supposed to. But Mark emailed me about this.

Also, there was actually no change to CSRF stuff in the latest version; the CSRF checking was all added in version 2.6.1, which was released 8 months ago; so I don't think there's a general bug in SF related to this.

Rather, I'm guessing that it's something server-side on the wiki, though I don't know what that is. Perhaps indeed it's the use of Active Directory; I don't know much about all that stuff, unfortunately.

Reply 00:34, 4 September 2014 10 years ago
217.8.59.207 (talkcontribs)

Got the same problem, turned off visual editor and ldapauth. Still getting the error.

Reply 09:53, 8 September 2014 10 years ago
217.8.59.207 (talkcontribs)

disabled dynamic page list (third party) .... now it saves

Reply 09:56, 8 September 2014 10 years ago
71.126.252.82 (talkcontribs)

Im not using dynamic page list. I am using dynamic sidebar, i will try turning that off. I noted above that i proved it had nothing to do with active directory. It has to be something with the wiki that it causing it i agree. Now how do i determine what it is? I only have FTp access to my wiki, no cpanel or SSH.

Reply 14:05, 8 September 2014 10 years ago
71.126.252.82 (talkcontribs)

I disabled DynamicSidebar and it worked. so there is a fight going on with the dynamic sidebar and dynamic page list.

Reply 14:10, 8 September 2014 10 years ago
217.8.59.207 (talkcontribs)

dynamic page list (mediawiki) is working for me... now having a look it the reduzed feature set will work on our wiki

Reply 07:38, 11 September 2014 10 years ago
StasR (talkcontribs)

I have experienced the same problem. I get message "This appears to be a cross-site request forgery; canceling save" when hitting save or preview. However if I disable Extension:ShortUrl everything works fine.

Mediawiki 1.23.5.

Reply Edited 06:40, 16 October 2014 10 years ago
Temptuousinsolence (talkcontribs)

I have the same issue ... I run a BlueSpice MW (2.23) on MediaWiki (1.23.7) with SMW 2.0 and I am unable to add attributes. In fact, the entire attribut thing appears to be broken:


    NO_VALID_VALUE mit Datentyp Text (0 Vorkommen)
    NO_VALID_VALUE mit Datentyp Zahl (0 Vorkommen)
    NO_VALID_VALUE mit Datentyp Quellcode (0 Vorkommen)
    NO_VALID_VALUE mit Datentyp Zahl (0 Vorkommen)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE mit Datentyp Datum (0 Vorkommen)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE mit Datentyp Wahrheitswert (0 Vorkommen)
    NO_VALID_VALUE mit Datentyp Seite (0 Vorkommen)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE (0)
    NO_VALID_VALUE mit Datentyp Datum (0 Vorkommen)

That looks quite strange

I tried fixing it through the SMW admin desk and an update in the terminal but to no avail. I try a second attempt in a VM with MW on 1.24.

Reply Edited 09:17, 11 December 2014 9 years ago
142.85.5.69 (talkcontribs)

Same Probleme here with BlueSpice 2.23, mediawiki 1.23.7 SemanticForms 3.1 (1b189e3). When i try to define a new propertie got this error : This appears to be a cross-site request forgery; canceling save.

Reply 12:34, 15 January 2015 9 years ago
142.85.5.69 (talkcontribs)

I found the source and a bypass to the problem. When Bluespice extension "WikiAdmin" is activated, it seams to remove the namespace created by the Semantic MediaWiki extention, to be more precise, the Property, Type and Concept Namespace (and there "talk" ones). So when Forms try to add something to a namespace that no longer exist, it give the cross-site request forgery. The bypass I found is not "by the book", but it works. Just create the namespaces somewhere else, I put them in the LocalSettings.php by adding these lines:

$wgExtraNamespaces[102] = "Property";
$wgExtraNamespaces[103] = "Property_talk";
$wgExtraNamespaces[104] = "Type";
$wgExtraNamespaces[105] = "Type_talk";
$wgExtraNamespaces[108] = "Concept";
$wgExtraNamespaces[109] = "Concept_talk";

Hope it helps!

Reply 14:13, 23 January 2015 9 years ago
142.85.5.69 (talkcontribs)

I found the source and a bypass to the problem. When Bluespice extension "WikiAdmin" is activated, it seams to remove the namespace created by the Semantic MediaWiki extention, to be more precise, the Property, Type and Concept Namespace (and there "talk" ones). So when Forms try to add something to a namespace that no longer exist, it give the cross-site request forgery. The bypass I found is not "by the book", but it works. Just create the namespaces somewhere else, I put them in the LocalSettings.php by adding these lines:

$wgExtraNamespaces[102] = "Property";
$wgExtraNamespaces[103] = "Property_talk";
$wgExtraNamespaces[104] = "Type";
$wgExtraNamespaces[105] = "Type_talk";
$wgExtraNamespaces[108] = "Concept";
$wgExtraNamespaces[109] = "Concept_talk";

Hope it helps!

Reply 14:13, 23 January 2015 9 years ago
Temptuousinsolence (talkcontribs)

Yes, it does ... curiously enough, it does not work with the language settings on "en", to whcih I had switched to in order to do some bugtracking with phpunit, but once I changed back to de and disabled my own namespace additions, it worked. Yet, I cannot say that I fully understand why. Nevertheless, thanks a lot ...

Reply 08:55, 26 January 2015 9 years ago
Nakohdo (talkcontribs)

Adding these extra namespaces did solve the problem for me on a MW 1.26.3,/ SMW 2.3.1 installation.

I don't have the Bluespice extension installed and Dynamic Page List running.

Language setting doesn't seem to have any effect.

Reply 18:55, 27 June 2016 8 years ago
27.33.94.164 (talkcontribs)

Yes for me too thanks!.. after trying a number of other work arounds, your solution worked on a clean install of MediaWiki/Bluespice and Semantic Mediawili.

Reply 07:16, 1 February 2015 9 years ago
92.217.74.228 (talkcontribs)

Sorry to say that, but I just installed the latest version of MediaWiki, and I run into the same problem. Unfortunately I do not use any of the extensions described on this page and none of the solutions mentioned worked for me. There still seems to be a bug in the code.

Reply 15:46, 9 December 2015 8 years ago
92.217.74.228 (talkcontribs)

Correction: The $wgExtraNamespaces-lines DID correct the problem. But it might be interesting for you to know that I do not use the extension "WikiAdmin" so this extension can not be the cause of the problem.

Reply 15:51, 9 December 2015 8 years ago
Stefahn (talkcontribs)

Had the same problem with a brand new MW 1.26.2 and SF 3.4.1 (fe2648a).

I could fix it by changing the value at which the SMW namespaces start.

I used $smwgNamespaceIndex = 108;

Reply Edited 13:17, 2 January 2016 8 years ago
JosefAssad (talkcontribs)

Same problem when saving a class.

MW: 1.26.2

SMW: 2.3.1

SF: 3.6-alpha (e827e19)

It's running on localhost for what it's worth.

Reply 12:03, 10 March 2016 8 years ago
95.210.108.61 (talkcontribs)

Just a note: for those encountering this after installing SMW/SF with Composer, don't forget that you still need to add enableSemantic('yourdomain.com') in your LocalSettings. Without it, you will get this error.

Reply 14:15, 10 May 2016 8 years ago
Nakohdo (talkcontribs)
Reply 18:46, 27 June 2016 8 years ago
Reply to "SemanticForms: False positive warning about cross-site request forgery when submitting edit"
Retrieved from "https://www.mediawiki.org/wiki/Topic:S1ndb9v7dbw9zn0i"