rt 3.8.14

author: Ivan Kohler <ivan@freeside.biz> 2012-09-23 15:05:41 -0700
committer: Ivan Kohler <ivan@freeside.biz> 2012-09-23 15:05:41 -0700
commit: a6496a4e8ec80b43074f59a1f9bf2cc79a082075 (patch)
tree: c6d3d13530a5e1e9d91433d9593efd9eb1931d66 /rt/lib/RT/Interface/Web.pm
parent: 750c8cc13516735ace1f36650b3596508a8304a8 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/rt/lib/RT/Interface/Web.pm b/rt/lib/RT/Interface/Web.pm
index aafca1a75..61c06acb2 100644
--- a/rt/lib/RT/Interface/Web.pm
+++ b/rt/lib/RT/Interface/Web.pm
@@ -1035,6 +1035,17 @@ our %is_whitelisted_component = (
     # information for the search.  Because it's a straight-up read, in
     # addition to embedding its own auth, it's fine.
     '/NoAuth/rss/dhandler' => 1,
+
+    # IE doesn't send referer in window.open()
+    # besides, as a harmless calendar select page, it's fine
+    '/Helpers/CalPopup.html' => 1,
+
+    # While both of these can be used for denial-of-service against RT
+    # (construct a very inefficient query and trick lots of users into
+    # running them against RT) it's incredibly useful to be able to link
+    # to a search result or bookmark a result page.
+    '/Search/Results.html' => 1,
+    '/Search/Simple.html'  => 1,
 );
 
 sub IsCompCSRFWhitelisted {
author	Ivan Kohler <ivan@freeside.biz>	2012-09-23 15:05:41 -0700
committer	Ivan Kohler <ivan@freeside.biz>	2012-09-23 15:05:41 -0700
commit	a6496a4e8ec80b43074f59a1f9bf2cc79a082075 (patch)
tree	c6d3d13530a5e1e9d91433d9593efd9eb1931d66 /rt/lib/RT/Interface/Web.pm
parent	750c8cc13516735ace1f36650b3596508a8304a8 (diff)