[Rt-commit] rt branch, 4.2/referrer-comp-config, created. rt-4.2.11-35-g5f01499

? sunnavy sunnavy at bestpractical.com
Tue Jul 7 12:10:48 EDT 2015 

The branch, 4.2/referrer-comp-config has been created
        at  5f014996c6da4138a1576006b8664cd838196a7c (commit)

- Log -----------------------------------------------------------------
commit 5f014996c6da4138a1576006b8664cd838196a7c
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue Jul 7 23:59:48 2015 +0800

    new config %ReferrerComponents to customize referrer checking behavior

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index a519802..fd9e971 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2062,6 +2062,23 @@ Simple wildcards, similar to SSL certificates, are allowed.  For example:
 
 Set(@ReferrerWhitelist, qw());
 
+=item C<%ReferrerComponents>
+
+C<%ReferrerComponents> is the hash to customize referrer checking behavior when
+C<$RestrictReferrer> is enabled, where you can whitelist or blacklist the
+components along with their query args. e.g.
+
+    Set( %ReferrerComponents,
+        ( '/Foo.html' => 1, '/Bar.html' => 0, '/Baz.html' => [ 'id', 'results' ] )
+    );
+
+With this, '/Foo.html' will be whitelisted, and '/Bar.html' will be blacklisted.
+'/Baz.html' with id/results query arguments will be whitelisted but blacklisted
+if there are other query arguments.
+
+=cut
+
+Set( %ReferrerComponents );
 
 =item C<$BcryptCost>
 
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 126709f..413c165 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1409,6 +1409,17 @@ sub IsCompCSRFWhitelisted {
     # them from the automatic whitelisting below.
     return 0 if $is_blacklisted_component{$comp};
 
+    if ( my %csrf_config = RT->Config->Get('ReferrerComponents') ) {
+        my $value = $csrf_config{$comp};
+        if ( ref $value eq 'ARRAY' ) {
+            delete $args{$_} for @$value;
+            return %args ? 0 : 1;
+        }
+        else {
+            return $value ? 1 : 0;
+        }
+    }
+
     # Eliminate arguments that do not indicate an effectful request.
     # For example, "id" is acceptable because that is how RT retrieves a
     # record.

-----------------------------------------------------------------------

More information about the rt-commit mailing list