Switch branches/tags
Commits on May 7, 2012
  1. Only enable CSRF argument stashing in refresh URL if CSRF is enabled

    alexmv committed May 7, 2012
    Not only is it only necessary if CSRF protections are on, but RT does
    not expand CSRF_Token unless RestrictReferrer is enabled.
Commits on May 5, 2012
  1. Teach RT->Config->Set() how to handle ReferrerWhitelist

    jibsheet committed May 5, 2012
    Without this, you can't push onto the list in ReferrerWhitelist
    because Set just assumes that the config option is a SCALAR.
Commits on May 4, 2012
  1. Set the refresh URL on ticket results to a CRSF-safe one

    alexmv committed May 4, 2012
    Unfortunately, browsers do not always provide a referrer when
    redirecting to a page by way of a <meta http-equiv="refresh">.  As such,
    automatic result refreshes trigger CSRF protections, as they request a
    complex URL with many query parameters, and no referrer.
    Work around this by generating a CSRF token which encodes the complete
    set of query parameters, and redirecting to that.  An unfortunate but
    unavoidable side effect of this is that the session is bloated by each
    of these sets of store query parameters on each search result page that
    has a refresh set.
  2. Override $DECODED_ARGS with the (decoded) arguments from the CSRF token

    alexmv committed May 4, 2012
    The menuing code examines $m->request_args to determine some menu state.
    Unfortunately, when returning from a CSRF interstitial the args provided
    to the component have been inflated, but $m->request_args has not been,
    and will only be observed to have one argument, CSRF_Token.  While one
    could, during CSRF argument inflation, replace $m->request_args by
    reaching inside the object, this is not only naughty, but incorrect: the
    query parameters stored in the CSRF token are already-decoded
    parameters, while $m->request_args is expected to contain encoded
    The newly-introduced $DECODED_ARGS provides a centralized location which
    is expected to contain decoded parameters.  Replace calls to
    $m->request_args with $DECODED_ARGS, and ensure that the latter is
    updated when returning from a CSRF interstitial.
  3. Add a global argument which contains the decoded $m->request_args

    alexmv committed May 4, 2012
    Multiple locations in the code use $m->request_args to obtain
    information about the query parameters that were specified in the URL;
    however, the values recovered from this call are not utf8-decoded, which
    can lead to corrupted data.  Additionally, existing code may depend on
    $m->request_args being encoded, which prevents merely altering the data
    prior to its entry into Mason.
    Provide a global variable, $DECODED_ARGS, which provides the correct,
    decoded, query parameters.
Commits on May 2, 2012
  1. Add a new ReferrerWhitelist config option

    jibsheet committed May 2, 2012
    This is a list of hostname:port that RT will accept HTTP_REFERER for.
    This is helpful if your RT has two hostnames or if you need to have auth
    from an external service that redirects back into RT.
  2. Switch to our so that extensions can whitelist components

    jibsheet committed May 2, 2012
    Also rename the variable because you're actually whitelisting a
    component, especially something like a dhandler which won't be in the
Commits on May 1, 2012
  1. Fix a simple typo

    jibsheet committed May 1, 2012
Commits on Apr 30, 2012
Commits on Apr 26, 2012
  1. Merge branch 'security/4.0-trunk' into 4.0-trunk

    alexmv committed Apr 26, 2012
Commits on Apr 25, 2012
Commits on Apr 18, 2012
  1. Safety-checking on classes loaded with `eval "require $class"`

    alexmv committed Apr 18, 2012
    While these close an arbitrary execution of code vulnerability, it
    required SuperUser privileges to exploit.  As SuperUsers already have
    the ability to run arbitrary code using Scrips, this vulnerability was
    primarily one of CSRF, which is closed by CSRF protection.  Regardless,
    validate the package names before they are inserted into the string
Commits on Apr 14, 2012
  1. Tell users and admins what Referrer we wanted

    jibsheet committed Apr 13, 2012
    This introduces a normalizing method we could use elsewhere in the Web
    code, as well as uses that code to hide the localhost->
    It also adds to the error string so that you know what RT was expecting.
    "RT's configured hostname" is the best we could do without explicitly
    stating WebBaseURL in a user facing error message.
Commits on Apr 13, 2012
Commits on Apr 12, 2012
Commits on Apr 11, 2012