[Rt-commit] rt branch, 4.2/rest-search-refactor, updated. rt-4.0.1-240-g862b6b8
? sunnavy
sunnavy at bestpractical.com
Tue Jun 28 10:58:31 EDT 2011
The branch, 4.2/rest-search-refactor has been updated
via 862b6b8f3a75128b9ab37447c28fc3aa9e8edc93 (commit)
from 9f76037b39e2731dc7d056ecb0c55ddc795fd789 (commit)
Summary of changes:
share/html/REST/1.0/search/dhandler | 34 +++++++++++++++++++++++++++++-----
1 files changed, 29 insertions(+), 5 deletions(-)
- Log -----------------------------------------------------------------
commit 862b6b8f3a75128b9ab37447c28fc3aa9e8edc93
Author: sunnavy <sunnavy at bestpractical.com>
Date: Tue Jun 28 22:29:15 2011 +0800
whitelist of restful search fields
this is better than only blacklisting hardcoded "password"
diff --git a/share/html/REST/1.0/search/dhandler b/share/html/REST/1.0/search/dhandler
index 7cc4669..118867b 100755
--- a/share/html/REST/1.0/search/dhandler
+++ b/share/html/REST/1.0/search/dhandler
@@ -136,12 +136,14 @@ if ( $type =~ /^(ticket|queue|user|group)$/i ) {
goto OUTPUT;
}
+ if ( ! $search_whitelist{$type}{lc $field} ) {
+ $status = "400 Bad Request";
+ $output = "Invalid field specification: $field";
+ goto OUTPUT;
+ }
+
+
if ( $field && $op && defined $value ) {
- if ( $type eq 'user' && $field =~ /password/i ) {
- $status = "400 Bad Request";
- $output = "Invalid field specification: $field";
- goto OUTPUT;
- }
$objects->Limit(
FIELD => $field,
@@ -239,3 +241,25 @@ OUTPUT:
$m->out("RT/". $RT::VERSION . " " . $status ."\n\n");
$m->out($output );
</%INIT>
+
+<%ONCE>
+my %search_whitelist = (
+ queue => {
+ map { lc $_ => 1 }
+ grep { $RT::Record::_TABLE_ATTR->{'RT::Queue'}{$_}{read} }
+ keys %{ $RT::Record::_TABLE_ATTR->{'RT::Queue'} }
+ },
+ user => {
+ map { lc $_ => 1 }
+ grep { $RT::Record::_TABLE_ATTR->{'RT::User'}{$_}{read} }
+ keys %{ $RT::Record::_TABLE_ATTR->{'RT::User'} }
+ },
+ group => {
+ map { lc $_ => 1 }
+ grep { $RT::Record::_TABLE_ATTR->{'RT::Group'}{$_}{read} }
+ keys %{ $RT::Record::_TABLE_ATTR->{'RT::Group'} }
+ }
+);
+
+</%ONCE>
+
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list