[Rt-commit] rt branch, 4.2/csrf-whitelist, repushed
Dustin Graves
dustin at bestpractical.com
Thu Aug 6 10:19:51 EDT 2015
The branch 4.2/csrf-whitelist was deleted and repushed:
was 583a6f47013ee172daee71af82523b60ca8eacfe
now 76ce2968dcb2f783640e4f7f74b466e5ebe2cd9e
1: 583a6f4 ! 1: 76ce296 add CSRF whitelist for component parameters
@@ -112,14 +112,15 @@
- delete $args{NotMobile};
+ # Join global whitelist and component-specific whitelist
+ my @whitelisted_args = (@GLOBAL_WHITELISTED_ARGS, @{ $WHITELISTED_COMPONENT_ARGS{$sub} || [] });
-
-- # If there are no arguments, then it's likely to be an idempotent
-- # request, which are not susceptible to CSRF
-- return 1 if !%args;
++
+ for my $arg (@whitelisted_args) {
+ delete $leftover_args{$arg};
+ }
+ # If there are no arguments, then it's likely to be an idempotent
+ # request, which are not susceptible to CSRF
+- return 1 if !%args;
+-
- return 0;
+ return !%leftover_args;
}
More information about the rt-commit
mailing list