[Rt-commit] rt branch, 4.0/whitelist-search-results, created. rt-4.0.6-254-g75a91cc
Kevin Falcone
falcone at bestpractical.com
Mon Aug 13 18:17:58 EDT 2012
The branch, 4.0/whitelist-search-results has been created
at 75a91cc3441fe1f71ea07d62a6dae4a5762b5562 (commit)
- Log -----------------------------------------------------------------
commit 75a91cc3441fe1f71ea07d62a6dae4a5762b5562
Author: Kevin Falcone <falcone at bestpractical.com>
Date: Mon Aug 13 18:16:11 2012 -0400
Whitelist Search/{Results.html,Simple.html}
It's convenient to save or pass around links to search results rather
than needing to save and share and then load the saved search.
While there are potential issues here, it's much more user friendly
to allow it.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 748caa3..93e19c6 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1179,6 +1179,13 @@ our %is_whitelisted_component = (
# information for the search. Because it's a straight-up read, in
# addition to embedding its own auth, it's fine.
'/NoAuth/rss/dhandler' => 1,
+
+ # While both of these can be used for denial-of-service against RT
+ # (construct a very inefficient query and trick lots of users into
+ # running them against RT) it's incredibly useful to be able to link
+ # to a search result or bookmark a result page.
+ '/Search/Results.html' => 1,
+ '/Search/Simple.html' => 1,
);
sub IsCompCSRFWhitelisted {
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list