[Rt-commit] rt branch 5.0/fix-simple-search-csrf-path created. rt-5.0.2-258-g62a3ceeb01

BPS Git Server git at git.bestpractical.com
Tue May 31 14:24:47 UTC 2022


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 5.0/fix-simple-search-csrf-path has been created
        at  62a3ceeb010da919b93e3d254cb069c98ba60784 (commit)

- Log -----------------------------------------------------------------
commit 62a3ceeb010da919b93e3d254cb069c98ba60784
Author: Jason Crome <jcrome at bestpractical.com>
Date:   Tue May 31 10:08:28 2022 -0400

    Make simple search result refresh always function
    
    There is a circumstance in which simple search results cannot be
    refreshed. Doing a simple search and selecting a refresh interval always
    works, but the next simple search performed without changing the
    refresh interval will produce the error "There was an error parsing your
    search query..." This prevents that error from happening.
    
    Simple search uses share/html/Search/Results.html to
    display its results. When a refresh interval is selected, it is
    submitted as a form parameter to /Search/Results.html, and a CSRF token
    is generated for that request path. When the next simple search is
    performed, the search term is submitted to /Search/Simple.html, and a
    CSRF token is generated for that path. When the results auto-refresh,
    however, the path /Search/Results.html is what is refreshed, and that
    path doesn't match the path for the CSRF token, causing the error above.
    
    To handle this situation and others in the future like it,
    StoreRequestToken in lib/RT/Interface/Web.pm now takes an optional path
    parameter that can specify an alternate path to store in the token data.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index c58ba20758..3bd804fb3e 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1718,9 +1718,10 @@ sub StoreRequestToken {
 
     my $token = Digest::MD5::md5_hex(time . {} . $$ . rand(1024));
     my $user = $HTML::Mason::Commands::session{'CurrentUser'}->UserObj;
+    my $path = delete $ARGS->{ path } || $HTML::Mason::Commands::r->path_info;
     my $data = {
         auth => $user->GenerateAuthString( $token ),
-        path => $HTML::Mason::Commands::r->path_info,
+        path => $path,
         args => $ARGS,
     };
     if ($ARGS->{Attach}) {
diff --git a/share/html/Search/Results.html b/share/html/Search/Results.html
index 27737ec2b4..253842cc85 100644
--- a/share/html/Search/Results.html
+++ b/share/html/Search/Results.html
@@ -205,6 +205,7 @@ $session{$hash_name} = {
     OrderBy     => $OrderBy,
     RowsPerPage => $Rows,
     ObjectType  => $ObjectType,
+    path        => '/Search/Results.html',
 };
 
 

-----------------------------------------------------------------------


hooks/post-receive
-- 
rt


More information about the rt-commit mailing list