Mailing List Archive

rt branch, 4.0/referrer-whitelist-wildcards, created. rt-4.0.6-250-g54dd0b5
The branch, 4.0/referrer-whitelist-wildcards has been created
at 54dd0b5045d5fd73a9c594ded58dfd59c1c34ec4 (commit)

- Log -----------------------------------------------------------------
commit 54dd0b5045d5fd73a9c594ded58dfd59c1c34ec4
Author: Thomas Sibley <trs@bestpractical.com>
Date: Mon Jul 30 14:53:05 2012 -0700

Allow simple wildcard matching in @ReferrerWhitelist

Matching behaviour is modeled on the matching of SSL certificate CNs to
domain names.

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 784d76c..192fada 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1797,6 +1797,16 @@ If the "RT has detected a possible cross-site request forgery" error is triggere
by a host:port sent by your browser that you believe should be valid, you can copy
the host:port from the error message into this list.

+Simple wildcards, similar to SSL certificates, are allowed. For example:
+
+ *.example.com:80 # matches foo.example.com
+ # but not example.com
+ # or foo.bar.example.com
+
+ www*.example.com:80 # matches www3.example.com
+ # and www-test.example.com
+ # and www.example.com
+
=cut

Set(@ReferrerWhitelist, qw());
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 748caa3..ca50f68 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -1233,7 +1233,19 @@ sub IsRefererCSRFWhitelisted {
my $configs;
for my $config ( $base_url, RT->Config->Get('ReferrerWhitelist') ) {
push @$configs,$config;
- return 1 if $referer->host_port eq $config;
+
+ my $host_port = $referer->host_port;
+ if ($config =~ /\*/) {
+ # Turn a literal * into a domain component or partial component match.
+ # Refer to http://tools.ietf.org/html/rfc2818#page-5
+ my $regex = join "[a-zA-Z0-9\-]*",
+ map { quotemeta($_) }
+ split /\*/, $config;
+
+ return 1 if $host_port =~ /^$regex$/i;
+ } else {
+ return 1 if $host_port eq $config;
+ }
}

return (0,$referer,$configs);

-----------------------------------------------------------------------
_______________________________________________
Rt-commit mailing list
Rt-commit@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit