[Rt-commit] rt branch, 4.2/csrf-whitelist, created. rt-4.2.11-38-g28d3882
Dustin Graves
dustin at bestpractical.com
Mon Aug 3 16:44:48 EDT 2015
The branch, 4.2/csrf-whitelist has been created
at 28d388288fa67217aa801e27cd63044182470f86 (commit)
- Log -----------------------------------------------------------------
commit 28d388288fa67217aa801e27cd63044182470f86
Author: Dustin Graves <dustin at bestpractical.com>
Date: Mon Aug 3 16:40:24 2015 -0400
add CSRF whitelist for component parameters
in particular, /Search/Build.html param SavedSearchLoad is whitelisted,
but not other parameters
Fixes: I#31090
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 413c165..b633aaf 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1376,6 +1376,10 @@ our %is_whitelisted_component = (
'/Ticket/ShowEmailRecord.html' => 1,
);
+our %is_whitelisted_component_parameter = (
+ '/Search/Build.html' => { 'SavedSearchLoad' => 1 },
+);
+
# Components which are blacklisted from automatic, argument-based whitelisting.
# These pages are not idempotent when called with just an id.
our %is_blacklisted_component = (
@@ -1437,6 +1441,12 @@ sub IsCompCSRFWhitelisted {
# in the session related to which interface you get.
delete $args{NotMobile};
+ # Whitelist compontent parameters
+ my %is_whitelisted_arg = %{$is_whitelisted_component_parameter{$comp}};
+ for my $arg (keys %is_whitelisted_arg) {
+ delete $args{$arg} if $is_whitelisted_arg{$arg};
+ }
+
# If there are no arguments, then it's likely to be an idempotent
# request, which are not susceptible to CSRF
return 1 if !%args;
-----------------------------------------------------------------------
More information about the rt-commit
mailing list