[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.13-7-gd610b09
Alex Vandiver
alexmv at bestpractical.com
Thu Aug 16 13:47:55 EDT 2012
The branch, 3.8-trunk has been updated
via d610b09e42590f9c42bc08701d76bded5ca0c65f (commit)
via f67496d413c779b3f017dff09a67d86cf5409c0f (commit)
from 6db779ee3a81953f39d83b839d4b9a20314542e0 (commit)
Summary of changes:
lib/RT/Interface/Web.pm | 4 ++++
1 file changed, 4 insertions(+)
- Log -----------------------------------------------------------------
commit d610b09e42590f9c42bc08701d76bded5ca0c65f
Merge: 6db779e f67496d
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Thu Aug 16 13:47:26 2012 -0400
Merge branch '3.8/csrf-whitelist-calpopup' into 3.8-trunk
Conflicts:
lib/RT/Interface/Web.pm
diff --cc lib/RT/Interface/Web.pm
index e944d68,fc7ea38..798d26d
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@@ -1032,12 -1032,9 +1032,16 @@@ our %is_whitelisted_component =
# addition to embedding its own auth, it's fine.
'/NoAuth/rss/dhandler' => 1,
+ # IE doesn't send referer in window.open()
+ # besides, as a harmless calendar select page, it's fine
+ '/Helpers/CalPopup.html' => 1,
++
+ # While both of these can be used for denial-of-service against RT
+ # (construct a very inefficient query and trick lots of users into
+ # running them against RT) it's incredibly useful to be able to link
+ # to a search result or bookmark a result page.
+ '/Search/Results.html' => 1,
+ '/Search/Simple.html' => 1,
);
sub IsCompCSRFWhitelisted {
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list