[Rt-commit] rt annotated tag, rt-3.8.10, created. rt-3.8.10

Kevin Falcone falcone at bestpractical.com
Thu Apr 14 10:17:24 EDT 2011


The annotated tag, rt-3.8.10 has been created
        at  9f48f3e7a58d9f3ee75d263c93b53f688508407f (tag)
   tagging  d2055ebe2f27a38ea34dcd269978851e1a5d4ddd (commit)
  replaces  rt-3.8.10rc1
 tagged by  Kevin Falcone
        on  Thu Apr 14 10:15:10 2011 -0400

- Log -----------------------------------------------------------------
release 3.8.10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEABECAAYFAk2nAW4ACgkQ0+gKWp5CJQpm5ACgvCMpA+ta9Ios2lnR8TVgSzNn
aFUAoMEd1PCCJMiWBvkI+2LchtiOHXxF
=9a0N
-----END PGP SIGNATURE-----

Alex Vandiver (10):
      Tests for exposing private componets
      Restrict PrimaryGroupBy to only the explicit options that we offer
      Prevent FIELD- and OPERATOR- based SQL injection at the RT::SB level
      Lock down possible OCFV columns to the two that we use
      Use closures instead of eval to construct external CF limits
      Disallow SQL injection in FIELD argument to OrderBy
      Allow the logout page to specify a URL to redirect to
      Update the two reports which used the short form of User in charting
      Use Apache->the_request for mod_perl1 compat, instead of ->unparsed_uri
      We do not link the results in the table in this version

Kevin Falcone (14):
      Stop direct access to richtext editor files
      Tests - now with more passing
      Merge branch 'security/3.8/customfield-column-injection' into 3.8.10-releng
      Merge branch 'security/3.8/external-cf-eval' into 3.8.10-releng
      Merge branch 'security/3.8/force-null' into 3.8.10-releng
      Merge branch 'security/3.8/limit-security-restriction' into 3.8.10-releng
      Merge branch 'security/3.8/orderby-injection' into 3.8.10-releng
      Merge branch 'security/3.8/path-traversal' into 3.8.10-releng
      Merge branch 'security/3.8/private-components' into 3.8.10-releng
      Merge branch 'security/3.8/restrict-charting' into 3.8.10-releng
      Merge branch 'security/3.8/richtext-autohandler' into 3.8.10-releng
      Merge branch 'security/3.8/ticketsql-private-fields' into 3.8.10-releng
      Merge branch 'security/3.8/validate-refresh' into 3.8.10-releng
      Bump version for 3.8.10

Shawn M Moore (16):
      All of these requests oughta result in an error code
      First pass at MaybeRejectPrivateComponentRequest
      Use the requested path directly for private component checking
      Explain why we're using PATH_INFO instead of request_comp
      More explanation
      Use request_comp but don't check for dhandler
      Copy 4.0's path-traversal.t and tweak it for 3.8
      Forbid /. in Standalone
      Traversal protection for fastcgi_server and mason_handler.fcgi.in
      Traversal protection for webmux.pl (mod_perl)
      Traversal protection for speedycgi and svc
      path-traversal test for a SendStaticFile dhandler
      Construct a path we can usefully test for /. in webmux.pl
      More tests for unsafe and safe URLs
      Use only the integer number of seconds in the Refresh header
      Avoid testing files out of RichText

Thomas Sibley (5):
      Test that values for IS and IS NOT are forced to NULL
      Override Limit further to force values to NULL for IS and IS NOT
      Test that our UI canonicalizes values to NULL for IS/IS NOT
      A failing test that searches by invalid watcher subfields in TicketSQL
      Limit watcher subfields to a valid subset

-----------------------------------------------------------------------


More information about the Rt-commit mailing list