HTTP Upload: Token mismatch because of missing mime-type
Closed this issue · 4 comments
When uploading a file via HTTP upload to my prosody xmpp server, I get an error:
Upload error
Error transferring
https://xmpp-files.cweiske.de/share_v2.php/c36a3cba-5ae7-4e3b-80f3-11ccab196540/404-Dead_Link.jpg?v2=somehashbar
- server replied: Forbidden; HTTP code 403, message: Forbidden
In my server's error logs, I see
PHP message: Token mismatch: calculated somehashfoo got somehashbar
I am using prosody's https://modules.prosody.im/mod_http_upload_external.html with share_v2.php
.
The reason for the problem is that psi's http upload plugin does not send the Content-Type
in the HTTP PUT request. This means that the server-side share_v2.php
script falls back to using "application/octet-stream" as mime type, and calculates the wrong signature.
Psi's upload plugin already sends the correct mime type to the XMPP server to get the upload URL:
<iq from='foo@cweiske.de' id='ab51a' to='meet.cweiske.de' type='get'>
<request xmlns='urn:xmpp:http:upload'>
<filename>404-Dead_Link.jpg</filename>
<size>19537</size>
<content-type>image/jpeg</content-type>
</request>
</iq>
<iq to="foo@cweiske.de/laptop" id="ab51a" from="meet.cweiske.de" type="result">
<slot xmlns="urn:xmpp:http:upload">
<get>https://xmpp-files.cweiske.de/share_v2.php/c36a3cba-5ae7-4e3b-80f3-11ccab196540/404-Dead_Link.jpg</get>
<put>https://xmpp-files.cweiske.de/share_v2.php/c36a3cba-5ae7-4e3b-80f3-11ccab196540/404-Dead_Link.jpg?v2=somehashbar</put>
</slot>
</iq>
It just fails to submit it via the actual upload.
Versions:
- Psi+ v1.4.554 (2021-01-26, Psi:94590587, Psi+:7d675e3) (Debian Bullseye (testing))
- http upload plugin 0.1.0 (that's what the plugin list says), package psi-plus-plugins 1.4.554-5
"application/octet-stream" looks fine to me.
Well I can put it explicitly to the headers. Not sure if it helps.
But then the XMPP request must include the same mime type. Currently it's sending <content-type>image/jpeg</content-type>
.
oh I see. Let me reread the xep
https://xmpp.org/extensions/xep-0363.html#upload
The service SHOULD reject the file if the Content-Type has been specified beforehand and does not match.