[Rt-commit] rt branch, 4.0/allow-any-results-param-by-csrf, created. rt-4.0.10-73-g2123fcb
Thomas Sibley
trs at bestpractical.com
Thu Mar 7 20:45:57 EST 2013
The branch, 4.0/allow-any-results-param-by-csrf has been created
at 2123fcb6936ea4ada5f76aab1a8d60207b3615c7 (commit)
- Log -----------------------------------------------------------------
commit 2123fcb6936ea4ada5f76aab1a8d60207b3615c7
Author: Thomas Sibley <trs at bestpractical.com>
Date: Thu Mar 7 17:29:59 2013 -0800
An invalid "results=" parameter is not a CSRF threat
Since results keys are removed from the session once they're used,
refreshing a page with a results= parameter would throw up the CSRF
interstitial. That behaviour is almost as bad as a browser asking if
you want to resubmit the POST data on refresh, which is the reason for
the MaybeRedirectForResults() framework in the first place.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 7442272..f8261c4 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1292,10 +1292,8 @@ sub IsCompCSRFWhitelisted {
# record.
delete $args{id};
- # If they have a valid results= from MaybeRedirectForResults, that's
- # also fine.
- delete $args{results} if $args{results}
- and $HTML::Mason::Commands::session{"Actions"}->{$args{results}};
+ # If they have a results= from MaybeRedirectForResults, that's also fine.
+ delete $args{results};
# The homepage refresh, which uses the Refresh header, doesn't send
# a referer in most browsers; whitelist the one parameter it reloads
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list