[Rt-commit] rt branch, 4.2/csrf-whitelist, repushed

Dustin Graves dustin at bestpractical.com
Thu Aug 6 09:52:11 EDT 2015


The branch 4.2/csrf-whitelist was deleted and repushed:
       was b48c4ae85ab366be51ebc40e8165070fdd557924
       now 583a6f47013ee172daee71af82523b60ca8eacfe

1:  b48c4ae ! 1:  583a6f4 add CSRF whitelist for component parameters
    @@ -16,11 +16,20 @@
     --- a/lib/RT/Interface/Web.pm
     +++ b/lib/RT/Interface/Web.pm
     @@
    +     return grep { $_ and -d $_ } @static;
    + }
    + 
    +-our %is_whitelisted_component = (
    ++our %IS_WHITELISTED_COMPONENT = (
    +     # The RSS feed embeds an auth token in the path, but query
    +     # information for the search.  Because it's a straight-up read, in
    +     # addition to embedding its own auth, it's fine.
    +@@
          '/Ticket/ShowEmailRecord.html' => 1,
      );
      
     +# Whitelist arguments that do not indicate an effectful request.
    -+our @global_whitelisted_args = (
    ++our @GLOBAL_WHITELISTED_ARGS = (
     +    # For example, "id" is acceptable because that is how RT retrieves a
     +    # record.
     +    'id',
    @@ -38,7 +47,7 @@
     +    'NotMobile',
     +);
     +
    -+our %whitelisted_component_args = (
    ++our %WHITELISTED_COMPONENT_ARGS = (
     +    # SavedSearchLoad - This happens when you middle-(or ⌘ )-click "Edit" for a saved search on
     +    # the homepage. It's not going to do any damage
     +    # NewQuery - This is simply to clear the search query
    @@ -52,7 +61,29 @@
     +
      # Components which are blacklisted from automatic, argument-based whitelisting.
      # These pages are not idempotent when called with just an id.
    - our %is_blacklisted_component = (
    +-our %is_blacklisted_component = (
    ++our %IS_BLACKLISTED_COMPONENT = (
    +     # Takes only id and toggles bookmark state
    +     '/Helpers/Toggle/TicketBookmark' => 1,
    + );
    +@@
    +     my $comp = shift;
    +     my $ARGS = shift;
    + 
    +-    return 1 if $is_whitelisted_component{$comp};
    ++    return 1 if $IS_WHITELISTED_COMPONENT{$comp};
    + 
    +     my %args = %{ $ARGS };
    + 
    +@@
    + 
    +     # Some pages aren't idempotent even with safe args like id; blacklist
    +     # them from the automatic whitelisting below.
    +-    return 0 if $is_blacklisted_component{$comp};
    ++    return 0 if $IS_BLACKLISTED_COMPONENT{$comp};
    + 
    +     if ( my %csrf_config = RT->Config->Get('ReferrerComponents') ) {
    +         my $value = $csrf_config{$comp};
     @@
              }
          }
    @@ -80,7 +111,7 @@
     -    # in the session related to which interface you get.
     -    delete $args{NotMobile};
     +    # Join global whitelist and component-specific whitelist
    -+    my @whitelisted_args = (@global_whitelisted_args, @{ $whitelisted_component_args{$sub} || [] });
    ++    my @whitelisted_args = (@GLOBAL_WHITELISTED_ARGS, @{ $WHITELISTED_COMPONENT_ARGS{$sub} || [] });
      
     -    # If there are no arguments, then it's likely to be an idempotent
     -    # request, which are not susceptible to CSRF



More information about the rt-commit mailing list