[Rt-commit] rt branch, 3.8/whitelist-search-results, created. rt-3.8.13-4-ga833c21
Kevin Falcone
falcone at bestpractical.com
Tue Aug 14 18:28:51 EDT 2012
The branch, 3.8/whitelist-search-results has been created
at a833c21a1ae3af496bbc208df8e81ea2cbec2e45 (commit)
- Log -----------------------------------------------------------------
commit a833c21a1ae3af496bbc208df8e81ea2cbec2e45
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Mon Aug 13 18:16:11 2012 -0400
Whitelist Search/{Results.html,Simple.html}
It's convenient to save or pass around links to search results rather
than needing to save and share and then load the saved search.
While there are potential issues here, it's much more user friendly
to allow it.
(cherry picked from commit 75a91cc3441fe1f71ea07d62a6dae4a5762b5562)
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index fd4be73..e944d68 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1031,6 +1031,13 @@ our %is_whitelisted_component = (
# information for the search. Because it's a straight-up read, in
# addition to embedding its own auth, it's fine.
'/NoAuth/rss/dhandler' => 1,
+
+ # While both of these can be used for denial-of-service against RT
+ # (construct a very inefficient query and trick lots of users into
+ # running them against RT) it's incredibly useful to be able to link
+ # to a search result or bookmark a result page.
+ '/Search/Results.html' => 1,
+ '/Search/Simple.html' => 1,
);
sub IsCompCSRFWhitelisted {
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list