[Rt-commit] rt branch, 4.2/rest-search-refactor, updated. rt-4.0.1-240-g862b6b8

? sunnavy sunnavy at bestpractical.com
Tue Jun 28 10:58:31 EDT 2011


The branch, 4.2/rest-search-refactor has been updated
       via  862b6b8f3a75128b9ab37447c28fc3aa9e8edc93 (commit)
      from  9f76037b39e2731dc7d056ecb0c55ddc795fd789 (commit)

Summary of changes:
 share/html/REST/1.0/search/dhandler |   34 +++++++++++++++++++++++++++++-----
 1 files changed, 29 insertions(+), 5 deletions(-)

- Log -----------------------------------------------------------------
commit 862b6b8f3a75128b9ab37447c28fc3aa9e8edc93
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue Jun 28 22:29:15 2011 +0800

    whitelist of restful search fields
    
    this is better than only blacklisting hardcoded "password"

diff --git a/share/html/REST/1.0/search/dhandler b/share/html/REST/1.0/search/dhandler
index 7cc4669..118867b 100755
--- a/share/html/REST/1.0/search/dhandler
+++ b/share/html/REST/1.0/search/dhandler
@@ -136,12 +136,14 @@ if ( $type =~ /^(ticket|queue|user|group)$/i ) {
                 goto OUTPUT;
             }
 
+            if ( ! $search_whitelist{$type}{lc $field} ) {
+                $status = "400 Bad Request";
+                $output = "Invalid field specification: $field";
+                goto OUTPUT;
+            }
+
+
             if ( $field && $op && defined $value ) {
-                if ( $type eq 'user' && $field =~ /password/i ) {
-                    $status = "400 Bad Request";
-                    $output = "Invalid field specification: $field";
-                    goto OUTPUT;
-                }
 
                 $objects->Limit(
                     FIELD    => $field,
@@ -239,3 +241,25 @@ OUTPUT:
 $m->out("RT/". $RT::VERSION . " " . $status ."\n\n");
 $m->out($output );
 </%INIT>
+
+<%ONCE>
+my %search_whitelist = (
+    queue => {
+        map { lc $_ => 1 }
+          grep { $RT::Record::_TABLE_ATTR->{'RT::Queue'}{$_}{read} }
+          keys %{ $RT::Record::_TABLE_ATTR->{'RT::Queue'} }
+    },
+    user => {
+        map { lc $_ => 1 }
+          grep { $RT::Record::_TABLE_ATTR->{'RT::User'}{$_}{read} }
+          keys %{ $RT::Record::_TABLE_ATTR->{'RT::User'} }
+    },
+    group => {
+        map { lc $_ => 1 }
+          grep { $RT::Record::_TABLE_ATTR->{'RT::Group'}{$_}{read} }
+          keys %{ $RT::Record::_TABLE_ATTR->{'RT::Group'} }
+    }
+);
+
+</%ONCE>
+

-----------------------------------------------------------------------


More information about the Rt-commit mailing list