[Rt-commit] rt branch, 4.0/referrer-whitelist-wildcards, created. rt-4.0.6-250-g54dd0b5

Thomas Sibley trs at bestpractical.com
Mon Jul 30 18:03:56 EDT 2012


The branch, 4.0/referrer-whitelist-wildcards has been created
        at  54dd0b5045d5fd73a9c594ded58dfd59c1c34ec4 (commit)

- Log -----------------------------------------------------------------
commit 54dd0b5045d5fd73a9c594ded58dfd59c1c34ec4
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Jul 30 14:53:05 2012 -0700

    Allow simple wildcard matching in @ReferrerWhitelist
    
    Matching behaviour is modeled on the matching of SSL certificate CNs to
    domain names.

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 784d76c..192fada 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1797,6 +1797,16 @@ If the "RT has detected a possible cross-site request forgery" error is triggere
 by a host:port sent by your browser that you believe should be valid, you can copy
 the host:port from the error message into this list.
 
+Simple wildcards, similar to SSL certificates, are allowed.  For example:
+
+    *.example.com:80    # matches foo.example.com
+                        # but not example.com
+                        #      or foo.bar.example.com
+
+    www*.example.com:80 # matches www3.example.com
+                        #     and www-test.example.com
+                        #     and www.example.com
+
 =cut
 
 Set(@ReferrerWhitelist, qw());
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 748caa3..ca50f68 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1233,7 +1233,19 @@ sub IsRefererCSRFWhitelisted {
     my $configs;
     for my $config ( $base_url, RT->Config->Get('ReferrerWhitelist') ) {
         push @$configs,$config;
-        return 1 if $referer->host_port eq $config;
+
+        my $host_port = $referer->host_port;
+        if ($config =~ /\*/) {
+            # Turn a literal * into a domain component or partial component match.
+            # Refer to http://tools.ietf.org/html/rfc2818#page-5
+            my $regex = join "[a-zA-Z0-9\-]*",
+                         map { quotemeta($_) }
+                       split /\*/, $config;
+
+            return 1 if $host_port =~ /^$regex$/i;
+        } else {
+            return 1 if $host_port eq $config;
+        }
     }
 
     return (0,$referer,$configs);

-----------------------------------------------------------------------


More information about the Rt-commit mailing list