Rt-users Digest, Vol 115, Issue 35

Date: Tue, 22 Oct 2013 13:08:05 -0400
From: Kevin Falcone falcone@bestpractical.com
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Restrictions and limitations on use of
ReferrerWhitelist, RestrictReferrer, RestrictReferrer (cross-site
request forgery warning message)
Message-ID: 20131022170805.GY37001@jibsheet.com
Content-Type: text/plain; charset=“us-ascii”

ReferrerWhitelist [(Set(@ReferrerWhitelist, qw(*.example.com:443
*.example.com:80));] and Set RestrictLoginReferrer=0 do not seem to
work at all and all users, priviliged and unpriviliged and all
get the cross-site request forgery message.

As for @ReferrerWhitelist, you’d have to show an actual error message
to compare with the domains that you’re whitelisting in order to know
what’s wrong. This is the preferred solution (white list the source
of your ticket form submissions).


OK … thanks for clarification. I think my problem with the Whitelist is that I have whitespace in my $Organization name. The Apache error log shows

[Fri Oct 25 20:03:48 2013] [error]: your $Organization setting (Another Company) appears to contain whitespace. Please fix this. (/usr/local/rt/sbin/…/lib/RT/Config.pm:505)
[Fri Oct 25 20:03:48 2013] [notice]: Possible CSRF: your browser did not supply a Referrer header (/usr/local/rt/sbin/…/lib/RT/Interface/Web.pm:1458)

Does Whitelist use $Organization as a reference/lookup? When I set RT up, using my domain didn’t make much sense because MY domain is different from the organizational unit that I am supporting, so I put in the ACTUAL NAME of the the other organizational unit I support. I realize now that spaces in $Organization are not allowed in RT, but I have not had any problems up to now. I am prepared to change it if necessary and I have seen instructions on this list to do an $Organization search-and-replace in MySQL to preserve links.