[Rt-commit] rt branch, master, updated. rt-4.2.12-339-g542efdf

[? sunnavy]

The branch, master has been updated
       via  542efdf97687b55ee537cbeb4892a12b036bf386 (commit)
      from  74a0e871f11dfad2d17c0d8c0e3091f15856175f (commit)

Summary of changes:
 lib/RT/Interface/Web.pm | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

- Log -----------------------------------------------------------------
commit 542efdf97687b55ee537cbeb4892a12b036bf386
Author: Matt Zagrabelny <mzagrabe at d.umn.edu>
Date:   Tue Oct 27 11:17:23 2015 -0500

    fix CSRF check overzealousness when using ReferrerComponents
    
    When using the RT_Config setting, ReferrerComponents, there existed a bug
    when you clicked on an RT link for a component that wasn't defined in
    the ReferrerComponents hash, the component was incorrectly flagges as
    being a CSRF. Before evaluating the contents of the ReferrerComponents
    hash, we need to ensure that our current component is defined in that
    hash.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 0ad27bb..7c89a61 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1451,13 +1451,15 @@ sub IsCompCSRFWhitelisted {
     return 0 if $IS_BLACKLISTED_COMPONENT{$comp};
 
     if ( my %csrf_config = RT->Config->Get('ReferrerComponents') ) {
-        my $value = $csrf_config{$comp};
-        if ( ref $value eq 'ARRAY' ) {
-            delete $args{$_} for @$value;
-            return %args ? 0 : 1;
-        }
-        else {
-            return $value ? 1 : 0;
+        if (exists $csrf_config{$comp}) {
+            my $value = $csrf_config{$comp};
+            if ( ref $value eq 'ARRAY' ) {
+                delete $args{$_} for @$value;
+                return %args ? 0 : 1;
+            }
+            else {
+                return $value ? 1 : 0;
+            }
         }
     }
 

-----------------------------------------------------------------------