[Rt-commit] rt branch, 4.2/csrf-whitelist, created. rt-4.2.11-38-g28d3882

Dustin Graves dustin at bestpractical.com
Mon Aug 3 16:44:48 EDT 2015


The branch, 4.2/csrf-whitelist has been created
        at  28d388288fa67217aa801e27cd63044182470f86 (commit)

- Log -----------------------------------------------------------------
commit 28d388288fa67217aa801e27cd63044182470f86
Author: Dustin Graves <dustin at bestpractical.com>
Date:   Mon Aug 3 16:40:24 2015 -0400

    add CSRF whitelist for component parameters
    
    in particular, /Search/Build.html param SavedSearchLoad is whitelisted,
    but not other parameters
    
    Fixes: I#31090

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 413c165..b633aaf 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1376,6 +1376,10 @@ our %is_whitelisted_component = (
     '/Ticket/ShowEmailRecord.html' => 1,
 );
 
+our %is_whitelisted_component_parameter = (
+    '/Search/Build.html' => { 'SavedSearchLoad' => 1 },
+);
+
 # Components which are blacklisted from automatic, argument-based whitelisting.
 # These pages are not idempotent when called with just an id.
 our %is_blacklisted_component = (
@@ -1437,6 +1441,12 @@ sub IsCompCSRFWhitelisted {
     # in the session related to which interface you get.
     delete $args{NotMobile};
 
+    # Whitelist compontent parameters
+    my %is_whitelisted_arg = %{$is_whitelisted_component_parameter{$comp}};
+    for my $arg (keys %is_whitelisted_arg) {
+        delete $args{$arg} if $is_whitelisted_arg{$arg};
+    }
+
     # If there are no arguments, then it's likely to be an idempotent
     # request, which are not susceptible to CSRF
     return 1 if !%args;

-----------------------------------------------------------------------


More information about the rt-commit mailing list