HTTP Upload: Token mismatch because of missing mime-type

Question

HTTP Upload: Token mismatch because of missing mime-type

Closed this issue 3 years ago · 4 comments

When uploading a file via HTTP upload to my prosody xmpp server, I get an error:

Upload error
Error transferring
https://xmpp-files.cweiske.de/share_v2.php/c36a3cba-5ae7-4e3b-80f3-11ccab196540/404-Dead_Link.jpg?v2=somehashbar

server replied: Forbidden; HTTP code 403, message: Forbidden

In my server's error logs, I see

PHP message: Token mismatch: calculated somehashfoo got somehashbar

I am using prosody's https://modules.prosody.im/mod_http_upload_external.html with share_v2.php.

The reason for the problem is that psi's http upload plugin does not send the Content-Type in the HTTP PUT request. This means that the server-side share_v2.php script falls back to using "application/octet-stream" as mime type, and calculates the wrong signature.

Psi's upload plugin already sends the correct mime type to the XMPP server to get the upload URL:

<iq from='foo@cweiske.de' id='ab51a' to='meet.cweiske.de' type='get'>
  <request xmlns='urn:xmpp:http:upload'>
    <filename>404-Dead_Link.jpg</filename>
    <size>19537</size>
    <content-type>image/jpeg</content-type>
  </request>
</iq>
<iq to="foo@cweiske.de/laptop" id="ab51a" from="meet.cweiske.de" type="result">
  <slot xmlns="urn:xmpp:http:upload">
    <get>https://xmpp-files.cweiske.de/share_v2.php/c36a3cba-5ae7-4e3b-80f3-11ccab196540/404-Dead_Link.jpg</get>
    <put>https://xmpp-files.cweiske.de/share_v2.php/c36a3cba-5ae7-4e3b-80f3-11ccab196540/404-Dead_Link.jpg?v2=somehashbar</put>
  </slot>
</iq>

It just fails to submit it via the actual upload.

Versions:

Psi+ v1.4.554 (2021-01-26, Psi:94590587, Psi+:7d675e3) (Debian Bullseye (testing))
http upload plugin 0.1.0 (that's what the plugin list says), package psi-plus-plugins 1.4.554-5

Answer 1 · 2021-05-02T09:49:00.000Z

"application/octet-stream" looks fine to me.
Well I can put it explicitly to the headers. Not sure if it helps.

Answer 2 · 2021-05-02T09:50:28.000Z

But then the XMPP request must include the same mime type. Currently it's sending <content-type>image/jpeg</content-type>.

Answer 3 · 2021-05-02T09:52:24.000Z

oh I see. Let me reread the xep

Answer 4 · 2021-05-02T09:55:18.000Z

https://xmpp.org/extensions/xep-0363.html#upload

The service SHOULD reject the file if the Content-Type has been specified beforehand and does not match.