Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Request Tracker: Commit

rt branch, 4.0/referrer-whitelist-wildcards, created. rt-4.0.6-250-g54dd0b5

 

 

Request Tracker commit RSS feed   Index | Next | Previous | View Threaded


trs at bestpractical

Jul 30, 2012, 3:03 PM

Post #1 of 1 (357 views)
Permalink
rt branch, 4.0/referrer-whitelist-wildcards, created. rt-4.0.6-250-g54dd0b5

The branch, 4.0/referrer-whitelist-wildcards has been created
at 54dd0b5045d5fd73a9c594ded58dfd59c1c34ec4 (commit)

- Log -----------------------------------------------------------------
commit 54dd0b5045d5fd73a9c594ded58dfd59c1c34ec4
Author: Thomas Sibley <trs [at] bestpractical>
Date: Mon Jul 30 14:53:05 2012 -0700

Allow simple wildcard matching in @ReferrerWhitelist

Matching behaviour is modeled on the matching of SSL certificate CNs to
domain names.

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 784d76c..192fada 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1797,6 +1797,16 @@ If the "RT has detected a possible cross-site request forgery" error is triggere
by a host:port sent by your browser that you believe should be valid, you can copy
the host:port from the error message into this list.

+Simple wildcards, similar to SSL certificates, are allowed. For example:
+
+ *.example.com:80 # matches foo.example.com
+ # but not example.com
+ # or foo.bar.example.com
+
+ www*.example.com:80 # matches www3.example.com
+ # and www-test.example.com
+ # and www.example.com
+
=cut

Set(@ReferrerWhitelist, qw());
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 748caa3..ca50f68 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1233,7 +1233,19 @@ sub IsRefererCSRFWhitelisted {
my $configs;
for my $config ( $base_url, RT->Config->Get('ReferrerWhitelist') ) {
push @$configs,$config;
- return 1 if $referer->host_port eq $config;
+
+ my $host_port = $referer->host_port;
+ if ($config =~ /\*/) {
+ # Turn a literal * into a domain component or partial component match.
+ # Refer to http://tools.ietf.org/html/rfc2818#page-5
+ my $regex = join "[a-zA-Z0-9\-]*",
+ map { quotemeta($_) }
+ split /\*/, $config;
+
+ return 1 if $host_port =~ /^$regex$/i;
+ } else {
+ return 1 if $host_port eq $config;
+ }
}

return (0,$referer,$configs);

-----------------------------------------------------------------------
_______________________________________________
Rt-commit mailing list
Rt-commit [at] lists
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit

Request Tracker commit RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.