[rt-users] Restrictions and limitations on use of ReferrerWhitelist, RestrictReferrer, RestrictReferrer (cross-site request forgery warning message)

Duncan Napier dgnapier at sfu.ca
Sun Oct 27 02:31:29 EDT 2013 

[Sorry ... a repost. I sent this one with a generic Subject: rather than the problem-specific one) 

> Date: Tue, 22 Oct 2013 13:08:05 -0400
> From: Kevin Falcone <falcone at bestpractical.com>
> To: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] Restrictions and limitations on use of
> 	ReferrerWhitelist, RestrictReferrer, RestrictReferrer (cross-site
> 	request forgery warning message)
> Message-ID: <20131022170805.GY37001 at jibsheet.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> On Mon, Oct 21, 2013 at 03:30:08PM -0700, Duncan Napier wrote:
>
> > 
> > ReferrerWhitelist [(Set(@ReferrerWhitelist, qw(*.example.com:443
> > *.example.com:80));] and Set RestrictLoginReferrer=0 do not seem to
> > work at all and all users, priviliged and unpriviliged and all
> > users
> > get the cross-site request forgery message.
> 
> 
> As for @ReferrerWhitelist, you'd have to show an actual error message
> to compare with the domains that you're whitelisting in order to know
> what's wrong.  This is the preferred solution (white list the source
> of your ticket form submissions).
> 
> -kevin

OK ... thanks for clarification. I think my problem with the Whitelist is that I have whitespace in my $Organization name. The Apache error log shows

[Fri Oct 25 20:03:48 2013] [error]: your $Organization setting (Another Company) appears to contain whitespace.  Please fix this. (/usr/local/rt/sbin/../lib/RT/Config.pm:505)
[Fri Oct 25 20:03:48 2013] [notice]: Possible CSRF: your browser did not supply a Referrer header (/usr/local/rt/sbin/../lib/RT/Interface/Web.pm:1458)

Does Whitelist use $Organization as a reference/lookup? When I set RT up, using my domain didn't make much sense because MY domain is different from the organizational unit that I am supporting, so I put in the ACTUAL NAME of the the other organizational unit I support. I realize now that spaces in $Organization are not allowed in RT, but I have not had any problems up to now. I am prepared to change it if necessary and I have seen instructions on this list to do an $Organization search-and-replace in MySQL to preserve links. 

-- 

                                 Regards,

                                 Duncan.

-----------------------------------------------------------------------
Duncan Napier
duncan_napier at sfu.ca
http://www.sfu.ca/~dgnapier/
IT & Instrumentation Consultant
Dept of Molecular Biology and Biochemistry
Simon Fraser University

"It takes ten years to become good at being a kid. Then another ten years
to become good at not being a kid" - Larry Wall.

More information about the rt-users mailing list