[rt-users] Restrictions and limitations on use of ReferrerWhitelist, RestrictReferrer, RestrictReferrer (cross-site request forgery warning message)
Kevin Falcone
falcone at bestpractical.com
Mon Oct 28 12:20:42 EDT 2013
On Sat, Oct 26, 2013 at 11:31:29PM -0700, Duncan Napier wrote:
> > As for @ReferrerWhitelist, you'd have to show an actual error message
> > to compare with the domains that you're whitelisting in order to know
> > what's wrong. This is the preferred solution (white list the source
> > of your ticket form submissions).
> >
> > -kevin
>
> OK ... thanks for clarification. I think my problem with the Whitelist is that I have whitespace in my $Organization name. The Apache error log shows
>
> [Fri Oct 25 20:03:48 2013] [error]: your $Organization setting (Another Company) appears to contain whitespace. Please fix this. (/usr/local/rt/sbin/../lib/RT/Config.pm:505)
> [Fri Oct 25 20:03:48 2013] [notice]: Possible CSRF: your browser did not supply a Referrer header (/usr/local/rt/sbin/../lib/RT/Interface/Web.pm:1458)
>
> Does Whitelist use $Organization as a reference/lookup? When I set RT
> up, using my domain didn't make much sense because MY domain is
> different from the organizational unit that I am supporting, so I put
> in the ACTUAL NAME of the the other organizational unit I support. I
> realize now that spaces in $Organization are not allowed in RT, but I
> have not had any problems up to now. I am prepared to change it if
> necessary and I have seen instructions on this list to do an
> $Organization search-and-replace in MySQL to preserve links.
While this is an error, and will cause you problems in Linking and if
you ever use Articles, it is unrelated to your CSRF problem.
I actually meant the error message printed in the browser for the end
user. Normally when linking from an external form, it will say
'invalid referred' for the host of the external form. However, if
you're getting no Referrer, why is that?
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20131028/3f0067aa/attachment.sig>
More information about the rt-users
mailing list