This question has been flagged
4 Replies
20866 Views
attachmentsvalidationfailedwebsiteCSRF
Avatar
Jakub Šedinár

Hello Guys,

I was kind of editing website layout (main layout, footers etc) and yesterday I noticed that when I want to add attachment (picture) via website wizard its not working – gives rounding arrows but no error in browser but I found Warning in logs: 20390 WARNING yyy.com openerp.http: CSRF validation failed on path '/web_editor/attachment/add'

Its working via attachments in settings window within administration part. Has anyone some though where the problem could be?

Site where I am working is kind of sensitive. So, If anyone has some idea or wanna help me directly, please contact me and I can provide more detailed data - what I cannot is access to the site - its just on the other database its working properly. So Its not in nginx proxy or something with sources. If communication will go outside of forum, I will share solution if we found any. 


Thanks

Jakub

Avatar
Discard
Avatar
Jakub Šedinár
Author Best Answer

okay, found the problem - there was some mistake, blankspace or I do not know what exactly -

Main Layout

            <script type="text/javascript">
                odoo.define('web.csrf', function (require) {
                    var token = "<t t-esc="request.csrf_token(None)"/>";
                    require('web.core').csrf_token = token;
                    require('qweb').default_dict.csrf_token = token;
                });
            </script>
Avatar
Discard
Jakub Šedinár
Author

well, It seems that when you push "format" on main layout cause the issue... it happend multiple times to me...

Avatar
peter
Best Answer

Hi Jakub, I am new to Odoo10 and i have the same problem when uploading an image from the website editor. I added the javascript block to the Main Layout code but the upload issue still there.

Avatar
Discard
peter

I have tested that upload fails only for SSL site. It works fine if i disable SSL. Any advise on how to fix this is much appreciated.

Jakub Šedinár
Author

Hello Peter,

I am using ssl and its working - maybe your ssl config is wrong. What are you using? Nginx as reverse proxy to do that?

Anyway, how to edit Main Layout, when you are logged and on website, there is panel on top of page. There is Customize, select HTML editor, in dropdown find Main Layout and locate the script - In Odoo 10 I was able to locate not in Main Layout but in Web Layout.

There is this code:

<script type="text/javascript">

var odoo = {

csrf_token: "<t t-esc="request.csrf_token(None)"/>",

};

</script>

Try replace whole script part if your ssl config is right.

Good luck

peter

Hi Jakub, my nginx setting is as follows:

:

server {

listen 443 ssl http2 default_server;

listen [::]:443 ssl http2 default_server;

server_name demo.server.com;

ssl on;

ssl_certificate "/opt/odoo10/ssl/certificate.crt";

ssl_certificate_key "/opt/odoo10/ssl/private.key";

# SSL config recommendation : https://cipherli.st/

ssl_protocols TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_cache shared:SSL:10m;

ssl_session_tickets off; # Requires nginx >= 1.5.9

ssl_stapling on; # Requires nginx >= 1.3.7

ssl_stapling_verify on; # Requires nginx => 1.3.7

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

# configures NGINX to wait no more than 10 seconds between writes

# from the client for either headers or body

client_body_timeout 10s;

client_header_timeout 10s;

proxy_read_timeout 720s;

proxy_connect_timeout 720s;

proxy_send_timeout 720s;

## If you use https make sure you disable gzip compression

## to be safe against BREACH attack.

gzip off;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

location / {

limit_conn addr 10;

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-Host $host;

proxy_set_header X-Forwarded-Server $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_pass http://127.0.0.1:8069;

}

location /longpolling {

proxy_pass http://127.0.0.1:8072;

}

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

}

peter

Hi Jakub, you are right. Its the SSL config that is causing the upload issue. Thanks!

Jakub Šedinár
Author

After anonymization, this is my nginx config. Feel free to use it :)

server {

listen 80;

server_name server;

return 301 https://$host$request_uri;

}

server {

listen 443;

server_name server;

ssl on;

ssl_certificate /etc/letsencrypt/live/server/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/server/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/ssl/dh_param.pem;

location / {

proxy_pass http://127.0.0.1:8069/;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-FORWARDED_PROTO https;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

location ^~ /web/database { deny all; }

access_log /var/log/nginx/server-access.log;

error_log /var/log/nginx/server-error.log;

}

Jakub Šedinár
Author

so Peter, did my config help?

Avatar
john sebastian salcedo henao
Best Answer

Thanks a lot for this solution.

Avatar
Discard