As I was debugging my changes to add redis support for session and otks
databases, I noticed that the issue.search page does not request a CSRF token.
It also uses GET for it's submission mode.
This makes sense in most cases as it doesn't change any issue data. However
because we name the search and save it to the search list, it does modify data.
So this should have CSRF protection if the change is to be saved/committed.
I think this is a low priority. I am not sure how it could be used to do much
of anything other than mess with a user's searches. Using GET for searches (so we
can bookmark and share them) already provides the same exposure this does to issue
|2022-08-02 02:54:07||rouilj||set||messageid: <firstname.lastname@example.org>|
|2022-08-02 02:54:07||rouilj||link||issue2551229 messages|