Not only is it only necessary if CSRF protections are on, but RT does not expand CSRF_Token unless RestrictReferrer is enabled.
Without this, you can't push onto the list in ReferrerWhitelist because Set just assumes that the config option is a SCALAR.
Unfortunately, browsers do not always provide a referrer when redirecting to a page by way of a <meta http-equiv="refresh">. As such, automatic result refreshes trigger CSRF protections, as they request a complex URL with many query parameters, and no referrer. Work around this by generating a CSRF token which encodes the complete set of query parameters, and redirecting to that. An unfortunate but unavoidable side effect of this is that the session is bloated by each of these sets of store query parameters on each search result page that has a refresh set.
The menuing code examines $m->request_args to determine some menu state. Unfortunately, when returning from a CSRF interstitial the args provided to the component have been inflated, but $m->request_args has not been, and will only be observed to have one argument, CSRF_Token. While one could, during CSRF argument inflation, replace $m->request_args by reaching inside the object, this is not only naughty, but incorrect: the query parameters stored in the CSRF token are already-decoded parameters, while $m->request_args is expected to contain encoded parameters. The newly-introduced $DECODED_ARGS provides a centralized location which is expected to contain decoded parameters. Replace calls to $m->request_args with $DECODED_ARGS, and ensure that the latter is updated when returning from a CSRF interstitial.
Multiple locations in the code use $m->request_args to obtain information about the query parameters that were specified in the URL; however, the values recovered from this call are not utf8-decoded, which can lead to corrupted data. Additionally, existing code may depend on $m->request_args being encoded, which prevents merely altering the data prior to its entry into Mason. Provide a global variable, $DECODED_ARGS, which provides the correct, decoded, query parameters.
Also rename the variable because you're actually whitelisting a component, especially something like a dhandler which won't be in the URL.
While these close an arbitrary execution of code vulnerability, it required SuperUser privileges to exploit. As SuperUsers already have the ability to run arbitrary code using Scrips, this vulnerability was primarily one of CSRF, which is closed by CSRF protection. Regardless, validate the package names before they are inserted into the string eval.
This introduces a normalizing method we could use elsewhere in the Web code, as well as uses that code to hide the localhost->127.0.0.1 transformations. It also adds to the error string so that you know what RT was expecting. "RT's configured hostname" is the best we could do without explicitly stating WebBaseURL in a user facing error message.