[Rt-commit] rt branch, 4.2/csrf-whitelist, updated. rt-4.2.11-41-gde7a29d

Dustin Graves dustin at bestpractical.com
Wed Aug 5 11:20:55 EDT 2015


The branch, 4.2/csrf-whitelist has been updated
       via  de7a29d9e27f37694110f5c8b509275681dc6185 (commit)
       via  db4f98c31e96e5f207f6d738d51f5fb0806353a1 (commit)
      from  08a838ec750686805515207dcfb01760ad441719 (commit)

Summary of changes:
 lib/RT/Interface/Web.pm |  6 +++---
 t/web/csrf.t            | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+), 3 deletions(-)

- Log -----------------------------------------------------------------
commit db4f98c31e96e5f207f6d738d51f5fb0806353a1
Author: Dustin Graves <dustin at bestpractical.com>
Date:   Wed Aug 5 10:58:23 2015 -0400

    Made expression idiomatic

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 8edadd1..f96567f 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1396,6 +1396,8 @@ our @global_whitelisted_args = (
 );
 
 our %whitelisted_component_args = (
+    # This happens when you middle-(or ⌘ )-click "Edit" for a saved search on
+    # the homepage. It's not going to do any damage
     '/Search/Build.html' => ['SavedSearchLoad'],
 );
 
@@ -1453,9 +1455,7 @@ sub AreCompCSRFParametersWhitelisted {
     my %leftover_args = %{ $ARGS };
 
     # Join global whitelist and component-specific whitelist
-    my @whitelisted_args = @global_whitelisted_args;
-    my $whitelisted_component_args_ref = $whitelisted_component_args{$sub};
-    @whitelisted_args = (@whitelisted_args, @{$whitelisted_component_args_ref}) if $whitelisted_component_args_ref;
+    my @whitelisted_args = (@global_whitelisted_args, @{ $whitelisted_component_args{$sub} || [] });
 
     for my $arg (@whitelisted_args) {
         delete $leftover_args{$arg};

commit de7a29d9e27f37694110f5c8b509275681dc6185
Author: Dustin Graves <dustin at bestpractical.com>
Date:   Wed Aug 5 11:20:32 2015 -0400

    Added unit tests

diff --git a/t/web/csrf.t b/t/web/csrf.t
index 9d95d06..fe18886 100644
--- a/t/web/csrf.t
+++ b/t/web/csrf.t
@@ -176,5 +176,26 @@ like($m->response->request->uri, qr{^http://[^/]+\Q/SelfService/Create.html\E\?C
 $m->title_is('Create a ticket');
 $m->content_contains('Describe the issue below:');
 
+my $searchBuildPath = '/Search/Build.html';
+# CSRF whitelist for /Search/Build.html param SavedSearchLoad
+$m->get_ok("$searchBuildPath?SavedSearchLoad=foo");
+$m->content_lacks('Possible cross-site request forgery');
+$m->title_is('Find tickets');
+
+# CSRF pass for /Search/Build.html no param
+$m->get_ok("$searchBuildPath");
+$m->content_lacks('Possible cross-site request forgery');
+$m->title_is('Find tickets');
+
+# CSRF fail for /Search/Build.html arbitrary param only
+$m->get_ok("$searchBuildPath?foo=bar");
+$m->content_contains('Possible cross-site request forgery');
+$m->title_is('Possible cross-site request forgery');
+
+# CSRF fail for /Search/Build.html arbitrary param with SavedSearchLoad
+$m->get_ok("$searchBuildPath?SavedSearchLoad=foo&foo=bar");
+$m->content_contains('Possible cross-site request forgery');
+$m->title_is('Possible cross-site request forgery');
+
 undef $m;
 done_testing;

-----------------------------------------------------------------------


More information about the rt-commit mailing list