[Rt-commit] rt annotated tag, rt-4.0.0, created. rt-4.0.0

Kevin Falcone falcone at bestpractical.com
Thu Apr 28 14:58:21 EDT 2011


The annotated tag, rt-4.0.0 has been created
        at  551a0a5af85876c1fc513a5b63650b3f3ff6205f (tag)
   tagging  e77f11b09699ecc530f747d2fdc027ad331206dc (commit)
  replaces  rt-4.0.0rc7
 tagged by  Kevin Falcone
        on  Thu Apr 28 11:25:49 2011 -0400

- Log -----------------------------------------------------------------
release 4.0.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEABECAAYFAk25hv0ACgkQ0+gKWp5CJQqN/QCg3juqINVnhyTGzDHJkWynPjZe
/bAAnRWjwX1hYpCc4lv1ePRzE+Z72Tf3
=tDZg
-----END PGP SIGNATURE-----

Alex Vandiver (15):
      Remove very old commented-out code that references a wrong config option anyway
      Fix variable name typo in a comment
      Document DontSearchBinaryAttachments
      Document SimplifiedRecipients
      Document DisallowExecuteCode
      Standardize and reword shredder configuration
      Tests for exposing private componets
      Remove SecondaryGroupBy, which is unused and a point of confusion
      Restrict PrimaryGroupBy to only the explicit options that we offer
      Disallow SQL injection in FIELD argument to OrderBy
      Use closures instead of eval to construct external CF limits
      Limit the CF options in SQL, rather than by regex
      Lock down possible OCFV columns to the two that we use
      Prevent FIELD- and OPERATOR- based SQL injection at the RT::SB level
      Allow the logout page to specify a URL to redirect to

Kevin Falcone (20):
      Be clearer about what the DontSearch*Attachments config options affect
      Merge branch '4.0/document-all-config-options' into 4.0.0-releng
      Test that we're not allowed to bypass NoAuth
      Prevent users from requesting /NoAuth/../Elements/Header
      We throw a warning from the handler, handle it
      Stop direct access to richtext editor files
      Merge branch '4.0/translation-updates' into 4.0.0-releng
      Merge branch '4.0/selfservice-richtext' into 4.0.0-releng
      Merge branch '4.0/fix-user-autocomplete-config-doc' into 4.0.0-releng
      Merge branch 'security/customfield-column-injection' into 4.0.0-releng
      Merge branch 'security/external-cf-eval' into 4.0.0-releng
      Merge branch 'security/force-null' into 4.0.0-releng
      Merge branch 'security/limit-security-restriction' into 4.0.0-releng
      Merge branch 'security/orderby-injection' into 4.0.0-releng
      Merge branch 'security/path-traversal' into 4.0.0-releng
      Merge branch 'security/private-components' into 4.0.0-releng
      Merge branch 'security/restrict-charting' into 4.0.0-releng
      Merge branch 'security/richtext-autohandler' into 4.0.0-releng
      Merge branch 'security/ticketsql-private-fields' into 4.0.0-releng
      Merge branch 'security/validate-refresh' into 4.0.0-releng

Shawn M Moore (22):
      Rerun extract-message-catalog
      Our merge-rosetta now deems Arabic incomplete
      po files where the only change is the image type fix
      Import actually-updated translations
      More french and japanese
      Canonicalize Project-Id-Version to RT 4.0.x
      Canonicalize Report-Msgid-Bugs-To to rt-devel
      All of these requests oughta result in an error code
      First pass at MaybeRejectPrivateComponentRequest
      Use the requested path directly for private component checking
      Explain why we're using PATH_INFO instead of request_comp
      More explanation
      Use request_comp but don't check for dhandler
      Use only the integer number of seconds in the Refresh header
      Expand noauth tests and rename it to path-traversal.t
      path-traversal test for a SendStaticFile dhandler
      More tests for unsafe and safe URLs
      Avoid testing files out of RichText
      Silence warnings out of t/api/tickets_overlay_sql.t
      Avoid redefining a couple variables
      po files with only metadata changes
      Updates to po files

Thomas Sibley (8):
      Turn a loc() into a single line so it's extracted correctly
      Test that values for IS and IS NOT are forced to NULL
      Override Limit further to force values to NULL for IS and IS NOT
      Test that our UI canonicalizes values to NULL for IS/IS NOT
      A failing test that searches by invalid watcher subfields in TicketSQL
      Limit watcher subfields to a valid subset
      Remove incorrect documentation regarding user autocomplete fields
      Push update ticket CFs into the table to fix a clearing issue with richtext editor

-----------------------------------------------------------------------


More information about the Rt-commit mailing list