[Rt-commit] rt branch, 4.0/csrf-proof-ical-link, created. rt-4.0.7-38-g9a9fbca
Alex Vandiver
alexmv at bestpractical.com
Mon Aug 27 18:01:33 EDT 2012
The branch, 4.0/csrf-proof-ical-link has been created
at 9a9fbca3488e37de821fc09e10f888025cd03a1a (commit)
- Log -----------------------------------------------------------------
commit 9a9fbca3488e37de821fc09e10f888025cd03a1a
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Mon Aug 27 17:10:17 2012 -0400
Ensure that links generated by the iCal feed are CSRF whitelisted
The link to the ticket used http://hostname/?q=1234 instead of the more
canonical http://hostname/Ticket/Display.html?id=1234 As requests caused
by clicking on the iCal link most probably come without proper referrer,
and /?q1234 isn't whitelisted, such requests would get the CSRF
interstitial.
Switch to the slightly longer, but properly whitelisted,
http://hostname/Ticket/Display.html?id=1234 URL.
diff --git a/share/html/NoAuth/iCal/dhandler b/share/html/NoAuth/iCal/dhandler
index c86f4cf..0e9e812 100644
--- a/share/html/NoAuth/iCal/dhandler
+++ b/share/html/NoAuth/iCal/dhandler
@@ -94,7 +94,7 @@ while (my $t = $tickets->Next) {
my $start = Data::ICal::Entry::Event->new;
my $end = Data::ICal::Entry::Event->new;
$_->add_properties(
- url => RT->Config->Get('WebURL') . "?q=".$t->id,
+ url => RT->Config->Get('WebURL') . "Ticket/Display.html?id=".$t->id,
organizer => $t->OwnerObj->Name,
dtstamp => $now->iCal,
created => $t->CreatedObj->iCal,
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list