[Rt-commit] rt branch, 4.2/csrf-whitelist, updated. rt-4.2.11-41-gde7a29d
Dustin Graves
dustin at bestpractical.com
Wed Aug 5 11:20:55 EDT 2015
The branch, 4.2/csrf-whitelist has been updated
via de7a29d9e27f37694110f5c8b509275681dc6185 (commit)
via db4f98c31e96e5f207f6d738d51f5fb0806353a1 (commit)
from 08a838ec750686805515207dcfb01760ad441719 (commit)
Summary of changes:
lib/RT/Interface/Web.pm | 6 +++---
t/web/csrf.t | 21 +++++++++++++++++++++
2 files changed, 24 insertions(+), 3 deletions(-)
- Log -----------------------------------------------------------------
commit db4f98c31e96e5f207f6d738d51f5fb0806353a1
Author: Dustin Graves <dustin at bestpractical.com>
Date: Wed Aug 5 10:58:23 2015 -0400
Made expression idiomatic
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 8edadd1..f96567f 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1396,6 +1396,8 @@ our @global_whitelisted_args = (
);
our %whitelisted_component_args = (
+ # This happens when you middle-(or ⌘ )-click "Edit" for a saved search on
+ # the homepage. It's not going to do any damage
'/Search/Build.html' => ['SavedSearchLoad'],
);
@@ -1453,9 +1455,7 @@ sub AreCompCSRFParametersWhitelisted {
my %leftover_args = %{ $ARGS };
# Join global whitelist and component-specific whitelist
- my @whitelisted_args = @global_whitelisted_args;
- my $whitelisted_component_args_ref = $whitelisted_component_args{$sub};
- @whitelisted_args = (@whitelisted_args, @{$whitelisted_component_args_ref}) if $whitelisted_component_args_ref;
+ my @whitelisted_args = (@global_whitelisted_args, @{ $whitelisted_component_args{$sub} || [] });
for my $arg (@whitelisted_args) {
delete $leftover_args{$arg};
commit de7a29d9e27f37694110f5c8b509275681dc6185
Author: Dustin Graves <dustin at bestpractical.com>
Date: Wed Aug 5 11:20:32 2015 -0400
Added unit tests
diff --git a/t/web/csrf.t b/t/web/csrf.t
index 9d95d06..fe18886 100644
--- a/t/web/csrf.t
+++ b/t/web/csrf.t
@@ -176,5 +176,26 @@ like($m->response->request->uri, qr{^http://[^/]+\Q/SelfService/Create.html\E\?C
$m->title_is('Create a ticket');
$m->content_contains('Describe the issue below:');
+my $searchBuildPath = '/Search/Build.html';
+# CSRF whitelist for /Search/Build.html param SavedSearchLoad
+$m->get_ok("$searchBuildPath?SavedSearchLoad=foo");
+$m->content_lacks('Possible cross-site request forgery');
+$m->title_is('Find tickets');
+
+# CSRF pass for /Search/Build.html no param
+$m->get_ok("$searchBuildPath");
+$m->content_lacks('Possible cross-site request forgery');
+$m->title_is('Find tickets');
+
+# CSRF fail for /Search/Build.html arbitrary param only
+$m->get_ok("$searchBuildPath?foo=bar");
+$m->content_contains('Possible cross-site request forgery');
+$m->title_is('Possible cross-site request forgery');
+
+# CSRF fail for /Search/Build.html arbitrary param with SavedSearchLoad
+$m->get_ok("$searchBuildPath?SavedSearchLoad=foo&foo=bar");
+$m->content_contains('Possible cross-site request forgery');
+$m->title_is('Possible cross-site request forgery');
+
undef $m;
done_testing;
-----------------------------------------------------------------------
More information about the rt-commit
mailing list