[Bps-public-commit] rt-extension-mobileui branch, master, updated. 1.02-1-ge6bbaa3

Kevin Falcone falcone at bestpractical.com
Tue Aug 14 18:28:55 EDT 2012


The branch, master has been updated
       via  e6bbaa3429c6d4e72589f87c9ab425c566f9580a (commit)
      from  ed0fcf726fd39f56f06c4a18302cd9e135b8e314 (commit)

Summary of changes:
 Changes                      | 5 +++++
 lib/RT/Extension/MobileUI.pm | 7 +++++++
 2 files changed, 12 insertions(+)

- Log -----------------------------------------------------------------
commit e6bbaa3429c6d4e72589f87c9ab425c566f9580a
Author: Kevin Falcone <falcone at bestpractical.com>
Date:   Tue Aug 14 18:26:51 2012 -0400

    Whitelist /m/tickets/search
    
    This allows users to bookmark searches from their mobile devices without
    running into the CSRF handler.

diff --git a/Changes b/Changes
index 16fbfc1..555d1fd 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,8 @@
+1.03
+
+* whitelist /m/tickets/search from RT's CSRF protection in case someone
+  bookmarks a search from their mobile device and wants to rerun it.
+
 1.02
 
 * Apply a number of XSS security fixes from 4.0-trunk, which resolve
diff --git a/lib/RT/Extension/MobileUI.pm b/lib/RT/Extension/MobileUI.pm
index c7980ec..acc5936 100644
--- a/lib/RT/Extension/MobileUI.pm
+++ b/lib/RT/Extension/MobileUI.pm
@@ -62,6 +62,13 @@ if (($ENV{'HTTP_USER_AGENT'} || '') =~ /(?:hiptop|Blazer|Novarra|Vagabond|SonyEr
 
 }
 
+# while /m/tickets/search could be used to run a denial-of-service
+# attack against RT by tricking your browser into running inefficient
+# searches, it's really useful to be able to bookmark search results
+# so we allow direct access to it.
+$RT::Interface::Web::is_whitelisted_component{'/m/tickets/search'} = 1;
+
+
 =head1 AUTHOR
 
 Jesse Vincent E<lt>jesse at bestpractical.comE<gt>

-----------------------------------------------------------------------



More information about the Bps-public-commit mailing list