[Bps-public-commit] rt-extension-mobileui branch, master, updated. 1.02-1-ge6bbaa3
Kevin Falcone
falcone at bestpractical.com
Tue Aug 14 18:28:55 EDT 2012
The branch, master has been updated
via e6bbaa3429c6d4e72589f87c9ab425c566f9580a (commit)
from ed0fcf726fd39f56f06c4a18302cd9e135b8e314 (commit)
Summary of changes:
Changes | 5 +++++
lib/RT/Extension/MobileUI.pm | 7 +++++++
2 files changed, 12 insertions(+)
- Log -----------------------------------------------------------------
commit e6bbaa3429c6d4e72589f87c9ab425c566f9580a
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Tue Aug 14 18:26:51 2012 -0400
Whitelist /m/tickets/search
This allows users to bookmark searches from their mobile devices without
running into the CSRF handler.
diff --git a/Changes b/Changes
index 16fbfc1..555d1fd 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,8 @@
+1.03
+
+* whitelist /m/tickets/search from RT's CSRF protection in case someone
+ bookmarks a search from their mobile device and wants to rerun it.
+
1.02
* Apply a number of XSS security fixes from 4.0-trunk, which resolve
diff --git a/lib/RT/Extension/MobileUI.pm b/lib/RT/Extension/MobileUI.pm
index c7980ec..acc5936 100644
--- a/lib/RT/Extension/MobileUI.pm
+++ b/lib/RT/Extension/MobileUI.pm
@@ -62,6 +62,13 @@ if (($ENV{'HTTP_USER_AGENT'} || '') =~ /(?:hiptop|Blazer|Novarra|Vagabond|SonyEr
}
+# while /m/tickets/search could be used to run a denial-of-service
+# attack against RT by tricking your browser into running inefficient
+# searches, it's really useful to be able to bookmark search results
+# so we allow direct access to it.
+$RT::Interface::Web::is_whitelisted_component{'/m/tickets/search'} = 1;
+
+
=head1 AUTHOR
Jesse Vincent E<lt>jesse at bestpractical.comE<gt>
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list