diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2016-09-24 10:28:06 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2016-09-24 10:28:06 -0700 |
| commit | 7322f2afedcc2f427e997d1535a503613a83f088 (patch) | |
| tree | 6c0d4e68906bfdaaff2a2067620e222611b979ea /rt/t/web/csrf.t | |
| parent | ae14e320388fa5e7f400bff1c251ef885b7952e6 (diff) | |
rt 4.2.13 ticket#13852
Diffstat (limited to 'rt/t/web/csrf.t')
| -rw-r--r-- | rt/t/web/csrf.t | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/rt/t/web/csrf.t b/rt/t/web/csrf.t index 9d95d0685..3fea28788 100644 --- a/rt/t/web/csrf.t +++ b/rt/t/web/csrf.t @@ -34,6 +34,55 @@ $m->get_ok("$test_page&user=root&pass=password"); $m->content_lacks("Possible cross-site request forgery"); $m->title_is('Create a new ticket'); +# CSRF parameter whitelist tests +my $searchBuildPath = '/Search/Build.html'; + +# CSRF whitelist for /Search/Build.html param SavedSearchLoad +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath?SavedSearchLoad=foo"); +$m->content_lacks('Possible cross-site request forgery'); +$m->title_is('Query Builder'); + +# CSRF pass for /Search/Build.html no param +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath"); +$m->content_lacks('Possible cross-site request forgery'); +$m->title_is('Query Builder'); + +# CSRF fail for /Search/Build.html arbitrary param only +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath?foo=bar"); +$m->content_contains('Possible cross-site request forgery'); +$m->title_is('Possible cross-site request forgery'); + +# CSRF fail for /Search/Build.html arbitrary param with SavedSearchLoad +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath?SavedSearchLoad=foo&foo=bar"); +$m->content_contains('Possible cross-site request forgery'); +$m->title_is('Possible cross-site request forgery'); + +# CSRF pass for /Search/Build.html param NewQuery +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath?NewQuery=1"); +$m->content_lacks('Possible cross-site request forgery'); +$m->title_is('Query Builder'); + +# CSRF pass for /Ticket/Update.html items in ticket action menu +$m->add_header(Referer => undef); +$m->get_ok('/Ticket/Update.html?id=1&Action=foo'); +$m->content_lacks('Possible cross-site request forgery'); + +# CSRF pass for /Ticket/Update.html reply to message in ticket history +$m->add_header(Referer => undef); +$m->get_ok('/Ticket/Update.html?id=1&QuoteTransaction=1&Action=Reply'); +$m->content_lacks('Possible cross-site request forgery'); + +# CSRF pass for /Articles/Article/ExtractIntoClass.html +# Action->Extract Article on ticket menu +$m->add_header(Referer => undef); +$m->get_ok('/Articles/Article/ExtractIntoClass.html?Ticket=1'); +$m->content_lacks('Possible cross-site request forgery'); + # now send a referer from an attacker $m->add_header(Referer => 'http://example.net'); $m->get_ok($test_page); |