[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.13-7-gd610b09

Alex Vandiver alexmv at bestpractical.com
Thu Aug 16 13:47:55 EDT 2012


The branch, 3.8-trunk has been updated
       via  d610b09e42590f9c42bc08701d76bded5ca0c65f (commit)
       via  f67496d413c779b3f017dff09a67d86cf5409c0f (commit)
      from  6db779ee3a81953f39d83b839d4b9a20314542e0 (commit)

Summary of changes:
 lib/RT/Interface/Web.pm | 4 ++++
 1 file changed, 4 insertions(+)

- Log -----------------------------------------------------------------
commit d610b09e42590f9c42bc08701d76bded5ca0c65f
Merge: 6db779e f67496d
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Thu Aug 16 13:47:26 2012 -0400

    Merge branch '3.8/csrf-whitelist-calpopup' into 3.8-trunk
    
    Conflicts:
    	lib/RT/Interface/Web.pm

diff --cc lib/RT/Interface/Web.pm
index e944d68,fc7ea38..798d26d
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@@ -1032,12 -1032,9 +1032,16 @@@ our %is_whitelisted_component = 
      # addition to embedding its own auth, it's fine.
      '/NoAuth/rss/dhandler' => 1,
  
+     # IE doesn't send referer in window.open()
+     # besides, as a harmless calendar select page, it's fine
+     '/Helpers/CalPopup.html' => 1,
++
 +    # While both of these can be used for denial-of-service against RT
 +    # (construct a very inefficient query and trick lots of users into
 +    # running them against RT) it's incredibly useful to be able to link
 +    # to a search result or bookmark a result page.
 +    '/Search/Results.html' => 1,
 +    '/Search/Simple.html'  => 1,
  );
  
  sub IsCompCSRFWhitelisted {

-----------------------------------------------------------------------


More information about the Rt-commit mailing list