Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Upload impex with curl

Go to solution
Former Member

on ‎2018 Aug 08 1:12 PM

0 Likes
841

Hello

I upgrade hybris from 5.0 to 6.0. After this, the following script doesn't work anymore:

 USER=admin
 PWD=nimda
 ADMIN=https://localhost:9002/admin
 FILE=myfile.impex
 
 curl -m 600 -c $COOKIE -b $COOKIE -o/dev/null -s -d j_username=$USER -d j_password=$PWD $ADMIN/j_spring_security_check
 
 RES=`curl -f -c $COOKIE -b $COOKIE -o- -s -D ${COOKIE}.hdr -F encoding="UTF-8" -F maxThreads=1 -F legacyMode=true -F _legacyMode=on -F validationEnum=IMPORT_STRICT -F file="@$FILE;type=octet/stream;filename=$(basename $FILE)" -F enableCodeExecution=true -F _enableCodeExecution=on "$ADMIN/console/impex/import/upload"`

The second curl returns a 403 Forbidden error. It seems that the authentication process for hybris has changed. Does anyone know how to fix it?

Regards

Andy

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

andyfletcher
Active Contributor
‎2018 Aug 08 7:29 PM
0 Likes

Yeah it's a pain. SAP have added cross site request forgery protection, which a good thing considering the havoc you can wreak in the hac.

You need to pass the csrf token with your login and each subsequent request. I haven't tried with impex but I've done this to run Groovy from a script and I assume that it is similar.

  • Request login page /login.jsp

  • Parse the value of form field _csrf

  • Send login creds + field _csrf with the value you parsed above

  • Load the scripting page /console/scripting

  • Parse value of the _csrf http response header (it's different from the token we got previously!)

  • Send this value as an X-CSRF-Token http request header with each post request that you make (i.e. posting to /console/scripting/execute)

I gave up trying to do this from a bash script and wrote a groovy shell script to do it instead.

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎2018 Aug 09 3:49 PM

Thanks for pointing me in the right direction. Here is the working script part:

 # Log-In procedure...
 TOKEN=$(curl -b $COOKIE -c $COOKIE --request GET "$ADMIN/login.jsp" -s | awk -F 'name=\"_csrf\"' '/_csrf/ {print $2}' | cut -d '"' -f2)
 curl -H "X-CSRF-Token: $TOKEN" -b $COOKIE -c $COOKIE -o- -d j_username=$USER -d j_password=$PWD -d _csrf=$TOKEN "$ADMIN/j_spring_security_check" -s -k
 TOKEN2=$(curl -b $COOKIE -c $COOKIE --request GET "$ADMIN/console/impex/import" -s | awk -F 'name=\"_csrf\"' '/_csrf/ {print $2; exit}' | cut -d '"' -f2)
 
 echo "=== Importing script '$FILE' ==="
 RES=`curl -H "Referer: $ADMIN/console/impex/import/" -f -c $COOKIE -b $COOKIE -o- -s -D ${COOKIE}.hdr -F encoding="UTF-8" -F maxThreads=1 -F legacyMode=true -F _legacyMode=on -F validationEnum=IMPORT_STRICT -F file="@$FILE;type=octet/stream;filename=$(basename $FILE)" -F enableCodeExecution=true -F _enableCodeExecution=on "$ADMIN/console/impex/import/upload?_csrf="$TOKEN2`
Show replies
Show replies
andyfletcher
Active Contributor
‎2018 Aug 10 4:12 PM
0 Likes

Nice work! Thanks for sharing.

Ask a Question