Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Tag: rt-4.0.6rc3
Commits on May 7, 2012
  1. @alexmv

    Only enable CSRF argument stashing in refresh URL if CSRF is enabled

    alexmv authored
    Not only is it only necessary if CSRF protections are on, but RT does
    not expand CSRF_Token unless RestrictReferrer is enabled.
Commits on May 5, 2012
  1. Teach RT->Config->Set() how to handle ReferrerWhitelist

    Kevin Falcone authored
    Without this, you can't push onto the list in ReferrerWhitelist
    because Set just assumes that the config option is a SCALAR.
Commits on May 4, 2012
  1. @alexmv
  2. @alexmv
  3. @alexmv
  4. @alexmv

    Set the refresh URL on ticket results to a CRSF-safe one

    alexmv authored
    Unfortunately, browsers do not always provide a referrer when
    redirecting to a page by way of a <meta http-equiv="refresh">.  As such,
    automatic result refreshes trigger CSRF protections, as they request a
    complex URL with many query parameters, and no referrer.
    Work around this by generating a CSRF token which encodes the complete
    set of query parameters, and redirecting to that.  An unfortunate but
    unavoidable side effect of this is that the session is bloated by each
    of these sets of store query parameters on each search result page that
    has a refresh set.
  5. @alexmv
  6. @alexmv
  7. @alexmv

    Override $DECODED_ARGS with the (decoded) arguments from the CSRF token

    alexmv authored
    The menuing code examines $m->request_args to determine some menu state.
    Unfortunately, when returning from a CSRF interstitial the args provided
    to the component have been inflated, but $m->request_args has not been,
    and will only be observed to have one argument, CSRF_Token.  While one
    could, during CSRF argument inflation, replace $m->request_args by
    reaching inside the object, this is not only naughty, but incorrect: the
    query parameters stored in the CSRF token are already-decoded
    parameters, while $m->request_args is expected to contain encoded
    The newly-introduced $DECODED_ARGS provides a centralized location which
    is expected to contain decoded parameters.  Replace calls to
    $m->request_args with $DECODED_ARGS, and ensure that the latter is
    updated when returning from a CSRF interstitial.
  8. @alexmv

    Add a global argument which contains the decoded $m->request_args

    alexmv authored
    Multiple locations in the code use $m->request_args to obtain
    information about the query parameters that were specified in the URL;
    however, the values recovered from this call are not utf8-decoded, which
    can lead to corrupted data.  Additionally, existing code may depend on
    $m->request_args being encoded, which prevents merely altering the data
    prior to its entry into Mason.
    Provide a global variable, $DECODED_ARGS, which provides the correct,
    decoded, query parameters.
  9. @alexmv
  10. @alexmv
  11. @alexmv
Commits on May 2, 2012
  1. Document how to pull from the error into the config

    Kevin Falcone authored
  2. Add a new ReferrerWhitelist config option

    Kevin Falcone authored
    This is a list of hostname:port that RT will accept HTTP_REFERER for.
    This is helpful if your RT has two hostnames or if you need to have auth
    from an external service that redirects back into RT.
  3. Switch to our so that extensions can whitelist components

    Kevin Falcone authored
    Also rename the variable because you're actually whitelisting a
    component, especially something like a dhandler which won't be in the
Commits on May 1, 2012
  1. Fix a simple typo

    Kevin Falcone authored
Commits on Apr 30, 2012
Commits on Apr 26, 2012
  1. @alexmv

    Merge branch 'security/4.0-trunk' into 4.0-trunk

    alexmv authored
  2. @alexmv
  3. @alexmv
  4. @alexmv
Commits on Apr 25, 2012
  1. @alexmv
  2. Merge branch '4.0/redirect-web-url' into 4.0-trunk

    Kevin Falcone authored
  3. Merge branch '4.0/web-installer-warnings' into 4.0-trunk

    Kevin Falcone authored
  4. Merge branch '4.0/parallel-test-exit-code' into 4.0-trunk

    Kevin Falcone authored
  5. @tsibley
Commits on Apr 18, 2012
  1. @alexmv

    Safety-checking on classes loaded with `eval "require $class"`

    alexmv authored
    While these close an arbitrary execution of code vulnerability, it
    required SuperUser privileges to exploit.  As SuperUsers already have
    the ability to run arbitrary code using Scrips, this vulnerability was
    primarily one of CSRF, which is closed by CSRF protection.  Regardless,
    validate the package names before they are inserted into the string
  2. @alexmv
Commits on Apr 14, 2012
  1. Tell users and admins what Referrer we wanted

    Kevin Falcone authored
    This introduces a normalizing method we could use elsewhere in the Web
    code, as well as uses that code to hide the localhost->
    It also adds to the error string so that you know what RT was expecting.
    "RT's configured hostname" is the best we could do without explicitly
    stating WebBaseURL in a user facing error message.
Commits on Apr 13, 2012
  1. @alexmv
Commits on Apr 12, 2012
  1. @alexmv
  2. @alexmv
Commits on Apr 11, 2012
  1. @alexmv
Something went wrong with that request. Please try again.