X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=rt%2Ft%2Fweb%2Fcsrf.t;h=ca52122ffec28f98fa17c9992d7e38aad9b2d948;hb=de9d037528895f7151a9aead6724ce2df95f9586;hp=24aae40a1063476b5e645e290ef76fb49fbf8c7a;hpb=7588a4ac90a9b07c08a3107cd1107d773be1c991;p=freeside.git

diff --git a/rt/t/web/csrf.t b/rt/t/web/csrf.t
index 24aae40a1..ca52122ff 100644
--- a/rt/t/web/csrf.t
+++ b/rt/t/web/csrf.t
@@ -34,11 +34,60 @@ $m->get_ok("$test_page&user=root&pass=password");
 $m->content_lacks("Possible cross-site request forgery");
 $m->title_is('Create a new ticket');
 
+# CSRF parameter whitelist tests
+my $searchBuildPath = '/Search/Build.html';
+
+# CSRF whitelist for /Search/Build.html param SavedSearchLoad
+$m->add_header(Referer => undef);
+$m->get_ok("$searchBuildPath?SavedSearchLoad=foo");
+$m->content_lacks('Possible cross-site request forgery');
+$m->title_is('Query Builder');
+
+# CSRF pass for /Search/Build.html no param
+$m->add_header(Referer => undef);
+$m->get_ok("$searchBuildPath");
+$m->content_lacks('Possible cross-site request forgery');
+$m->title_is('Query Builder');
+
+# CSRF fail for /Search/Build.html arbitrary param only
+$m->add_header(Referer => undef);
+$m->get_ok("$searchBuildPath?foo=bar");
+$m->content_contains('Possible cross-site request forgery');
+$m->title_is('Possible cross-site request forgery');
+
+# CSRF fail for /Search/Build.html arbitrary param with SavedSearchLoad
+$m->add_header(Referer => undef);
+$m->get_ok("$searchBuildPath?SavedSearchLoad=foo&foo=bar");
+$m->content_contains('Possible cross-site request forgery');
+$m->title_is('Possible cross-site request forgery');
+
+# CSRF pass for /Search/Build.html param NewQuery
+$m->add_header(Referer => undef);
+$m->get_ok("$searchBuildPath?NewQuery=1");
+$m->content_lacks('Possible cross-site request forgery');
+$m->title_is('Query Builder');
+
+# CSRF pass for /Ticket/Update.html items in ticket action menu
+$m->add_header(Referer => undef);
+$m->get_ok('/Ticket/Update.html?id=1&Action=foo');
+$m->content_lacks('Possible cross-site request forgery');
+
+# CSRF pass for /Ticket/Update.html reply to message in ticket history
+$m->add_header(Referer => undef);
+$m->get_ok('/Ticket/Update.html?id=1&QuoteTransaction=1&Action=Reply');
+$m->content_lacks('Possible cross-site request forgery');
+
+# CSRF pass for /Articles/Article/ExtractIntoClass.html
+# Action->Extract Article on ticket menu
+$m->add_header(Referer => undef);
+$m->get_ok('/Articles/Article/ExtractIntoClass.html?Ticket=1');
+$m->content_lacks('Possible cross-site request forgery');
+
 # now send a referer from an attacker
 $m->add_header(Referer => 'http://example.net');
 $m->get_ok($test_page);
 $m->content_contains("Possible cross-site request forgery");
-$m->content_contains("If you really intended to visit <tt>/Ticket/Create.html</tt>");
+$m->content_contains("If you really intended to visit <tt>$baseurl/Ticket/Create.html</tt>");
 $m->content_contains("the Referrer header supplied by your browser (example.net:80) is not allowed");
 $m->title_is('Possible cross-site request forgery');
 
@@ -60,7 +109,7 @@ $m->title_is('#1: bad music');
 # now a non-whitelisted argument
 $m->get_ok("/Ticket/Display.html?id=1&Action=Take");
 $m->content_contains("Possible cross-site request forgery");
-$m->content_contains("If you really intended to visit <tt>/Ticket/Display.html</tt>");
+$m->content_contains("If you really intended to visit <tt>$baseurl/Ticket/Display.html</tt>");
 $m->content_contains("the Referrer header supplied by your browser (example.net:80) is not allowed");
 $m->title_is('Possible cross-site request forgery');
 
@@ -75,7 +124,7 @@ $m->content_contains('Owner changed from Nobody to root');
 $m->add_header(Referer => undef);
 $m->get_ok($test_page);
 $m->content_contains("Possible cross-site request forgery");
-$m->content_contains("If you really intended to visit <tt>/Ticket/Create.html</tt>");
+$m->content_contains("If you really intended to visit <tt>$baseurl/Ticket/Create.html</tt>");
 $m->content_contains("your browser did not supply a Referrer header");
 $m->title_is('Possible cross-site request forgery');
 
@@ -89,7 +138,7 @@ $m->title_is('Create a new ticket');
 $m->add_header(Referer => undef);
 $m->get_ok($test_page);
 $m->content_contains("Possible cross-site request forgery");
-$m->content_contains("If you really intended to visit <tt>/Ticket/Create.html</tt>");
+$m->content_contains("If you really intended to visit <tt>$baseurl/Ticket/Create.html</tt>");
 $m->content_contains("your browser did not supply a Referrer header");
 $m->title_is('Possible cross-site request forgery');
 
@@ -99,9 +148,9 @@ $m->title_is('Possible cross-site request forgery');
 my $link = $m->find_link(text_regex => qr{resume your request});
 (my $broken_url = $link->url) =~ s/(CSRF_Token)=\w+/$1=crud/;
 $m->get_ok($broken_url);
-$m->content_contains("Queue could not be loaded");
+$m->content_like(qr/Queue\s+could not be loaded/);
 $m->title_is('RT Error');
-$m->warning_like(qr/Queue could not be loaded/);
+$m->warning_like(qr/Queue\s+could not be loaded/);
 
 # The token doesn't work for other pages, or other arguments to the same page.
 $m->add_header(Referer => undef);
@@ -112,7 +161,7 @@ my ($token) = $m->content =~ m{CSRF_Token=(\w+)};
 $m->add_header(Referer => undef);
 $m->get_ok("/Admin/Queues/Modify.html?id=new&Name=test&CSRF_Token=$token");
 $m->content_contains("Possible cross-site request forgery");
-$m->content_contains("If you really intended to visit <tt>/Admin/Queues/Modify.html</tt>");
+$m->content_contains("If you really intended to visit <tt>$baseurl/Admin/Queues/Modify.html</tt>");
 $m->content_contains("your browser did not supply a Referrer header");
 $m->title_is('Possible cross-site request forgery');
 
@@ -134,7 +183,7 @@ $m->content_contains("Create a new ticket", 'ticket create page');
 $m->form_name('TicketCreate');
 $m->field('Subject', 'Attachments test');
 
-my $logofile = "$RT::MasonComponentRoot/NoAuth/images/bpslogo.png";
+my $logofile = "$RT::StaticPath/images/bpslogo.png";
 open LOGO, "<", $logofile or die "Can't open logo file: $!";
 binmode LOGO;
 my $logo_contents = do {local $/; <LOGO>};
@@ -145,7 +194,7 @@ $m->field('Attach',  $logofile);
 $m->add_header(Referer => undef);
 $m->submit;
 $m->content_contains("Possible cross-site request forgery");
-$m->content_contains("If you really intended to visit <tt>/Ticket/Create.html</tt>");
+$m->content_contains("If you really intended to visit <tt>$baseurl/Ticket/Create.html</tt>");
 $m->follow_link(text_regex => qr{resume your request});
 $m->content_contains('Download bpslogo.png', 'page has file name');
 $m->follow_link_ok({text => "Download bpslogo.png"});
@@ -165,7 +214,7 @@ $m->content_contains("My open tickets", "got self-service interface");
 $m->add_header(Referer => undef);
 $m->get_ok("/SelfService/Create.html?Queue=1");
 $m->content_contains("Possible cross-site request forgery");
-$m->content_contains("If you really intended to visit <tt>/SelfService/Create.html</tt>");
+$m->content_contains("If you really intended to visit <tt>$baseurl/SelfService/Create.html</tt>");
 $m->content_contains("your browser did not supply a Referrer header");
 $m->title_is('Possible cross-site request forgery');