[Rt-commit] rt branch, 4.0/allow-any-results-param-by-csrf, created. rt-4.0.10-73-g2123fcb

Thomas Sibley trs at bestpractical.com
Thu Mar 7 20:45:57 EST 2013


The branch, 4.0/allow-any-results-param-by-csrf has been created
        at  2123fcb6936ea4ada5f76aab1a8d60207b3615c7 (commit)

- Log -----------------------------------------------------------------
commit 2123fcb6936ea4ada5f76aab1a8d60207b3615c7
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Thu Mar 7 17:29:59 2013 -0800

    An invalid "results=" parameter is not a CSRF threat
    
    Since results keys are removed from the session once they're used,
    refreshing a page with a results= parameter would throw up the CSRF
    interstitial.  That behaviour is almost as bad as a browser asking if
    you want to resubmit the POST data on refresh, which is the reason for
    the MaybeRedirectForResults() framework in the first place.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 7442272..f8261c4 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1292,10 +1292,8 @@ sub IsCompCSRFWhitelisted {
     # record.
     delete $args{id};
 
-    # If they have a valid results= from MaybeRedirectForResults, that's
-    # also fine.
-    delete $args{results} if $args{results}
-        and $HTML::Mason::Commands::session{"Actions"}->{$args{results}};
+    # If they have a results= from MaybeRedirectForResults, that's also fine.
+    delete $args{results};
 
     # The homepage refresh, which uses the Refresh header, doesn't send
     # a referer in most browsers; whitelist the one parameter it reloads

-----------------------------------------------------------------------


More information about the Rt-commit mailing list