[rt-users] rt-users Digest, Vol 115, Issue 35
Duncan Napier
dgnapier at sfu.ca
Fri Oct 25 16:17:40 EDT 2013
> Date: Tue, 22 Oct 2013 13:08:05 -0400
> From: Kevin Falcone <falcone at bestpractical.com>
> To: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] Restrictions and limitations on use of
> ReferrerWhitelist, RestrictReferrer, RestrictReferrer (cross-site
> request forgery warning message)
> Message-ID: <20131022170805.GY37001 at jibsheet.com>
> Content-Type: text/plain; charset="us-ascii"
>
> On Mon, Oct 21, 2013 at 03:30:08PM -0700, Duncan Napier wrote:
>
> >
> > ReferrerWhitelist [(Set(@ReferrerWhitelist, qw(*.example.com:443
> > *.example.com:80));] and Set RestrictLoginReferrer=0 do not seem to
> > work at all and all users, priviliged and unpriviliged and all
> > users
> > get the cross-site request forgery message.
>
>
> As for @ReferrerWhitelist, you'd have to show an actual error message
> to compare with the domains that you're whitelisting in order to know
> what's wrong. This is the preferred solution (white list the source
> of your ticket form submissions).
>
> -kevin
OK ... thanks for clarification. I think my problem with the Whitelist is that I have whitespace in my $Organization name. The Apache error log shows
[Fri Oct 25 20:03:48 2013] [error]: your $Organization setting (Another Company) appears to contain whitespace. Please fix this. (/usr/local/rt/sbin/../lib/RT/Config.pm:505)
[Fri Oct 25 20:03:48 2013] [notice]: Possible CSRF: your browser did not supply a Referrer header (/usr/local/rt/sbin/../lib/RT/Interface/Web.pm:1458)
Does Whitelist use $Organization as a reference/lookup? When I set RT up, using my domain didn't make much sense because MY domain is different from the organizational unit that I am supporting, so I put in the ACTUAL NAME of the the other organizational unit I support. I realize now that spaces in $Organization are not allowed in RT, but I have not had any problems up to now. I am prepared to change it if necessary and I have seen instructions on this list to do an $Organization search-and-replace in MySQL to preserve links.
More information about the rt-users
mailing list