[Rt-commit] rt branch, 4.0/rename-extrasecurity, created. rt-4.0.0-183-gf87b7bf
Shawn Moore
sartak at bestpractical.com
Fri May 6 17:15:38 EDT 2011
The branch, 4.0/rename-extrasecurity has been created
at f87b7bf4136d5d91e4f7be29cf82267c31d98271 (commit)
- Log -----------------------------------------------------------------
commit 8523ae329dcbbdb256302576eb9eaf03f6d0d376
Author: Shawn M Moore <sartak at bestpractical.com>
Date: Fri May 6 16:56:39 2011 -0400
Deprecate @ExtraSecurity
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 73068b5..aa24c81 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2518,6 +2518,12 @@ Set($LinkTransactionsRun1Scrip, 0);
This option has been deprecated. You can configure this site-wide
with L</Lifecycles> (see L</Labeling and defining actions>).
+=item C<@ExtraSecurity>
+
+This option has been deprecated. It supported one option,
+C<Clickjacking>, which has been promoted into the
+C<$DisableFramebusting> config.
+
=back
=cut
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index aa41045..f536dd8 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -545,6 +545,16 @@ our %META = (
'You can change the site default in your %Lifecycles config.');
}
},
+ ExtraSecurity => {
+ PostLoadCheck => sub {
+ my $self = shift;
+ my $value = shift;
+ return unless $value;
+ $RT::Logger->info('The ExtraSecurity config option has been deprecated. '.
+ 'Its Clickjacking entry has been given its own config, ' .
+ '$DisableFramebusting');
+ }
+ },
WebPath => {
PostLoadCheck => sub {
my $self = shift;
commit f87b7bf4136d5d91e4f7be29cf82267c31d98271
Author: Shawn M Moore <sartak at bestpractical.com>
Date: Fri May 6 16:48:59 2011 -0400
Rework @ExtraSecurity into $DisableFramebusting
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index aa24c81..d2e50a2 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1698,6 +1698,12 @@ Should rejection notes from approvals be sent to the requestors?
Set($ApprovalRejectionNotes, 1);
+=head1 Extra security
+
+This is a list of extra security measures to enable that help keep your RT
+safe. If you don't know what these mean, you should almost certainly leave the
+defaults alone.
+
=item C<$DisallowExecuteCode>
If set to a true value, the C<ExecuteCode> right will be removed from
@@ -1709,22 +1715,18 @@ be allowed to run arbitrary Perl code on the server via scrips.
Set($DisallowExecuteCode, 0);
-=item C<@ExtraSecurity>
+=item C<$DisableFramebusting>
-This is a list of extra security measures to enable that help keep your RT
-safe. If you don't know what these mean, you should almost certainly leave the
-defaults alone.
-
- Clickjacking - Enables framekiller javascript and adds an X-Frame-Options:
- DENY header to all requests
+If set to a true value, framekiller javascript will be disabled and the
+X-Frame-Options: DENY header will be suppressed from all responses.
+This disables RT's clickjacking protection.
=cut
-Set( @ExtraSecurity, qw(Clickjacking) );
+Set($DisableFramebusting, 0);
=back
-
=head1 Authorization and user configuration
=over 4
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index f536dd8..dd99f85 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -1270,20 +1270,6 @@ sub UpdateOption {
return 1;
}
-=head2 ExtraSecurity NAME
-
-Returns true if NAME is included in the C<@ExtraSecurity> list, false if not.
-
-This is currently a convenience method for C<< grep { lc $_ eq lc $name } RT->Config->Get('ExtraSecurity') >>.
-
-=cut
-
-sub ExtraSecurity {
- my $self = shift;
- my $name = lc shift;
- return scalar grep { lc $_ eq $name } $self->Get('ExtraSecurity');
-}
-
RT::Base->_ImportOverlays();
1;
diff --git a/lib/RT/Interface/Web/Handler.pm b/lib/RT/Interface/Web/Handler.pm
index a87e800..f366c19 100644
--- a/lib/RT/Interface/Web/Handler.pm
+++ b/lib/RT/Interface/Web/Handler.pm
@@ -273,7 +273,7 @@ sub _psgi_response_cb {
sub {
my $res = shift;
- if ( RT->Config->ExtraSecurity('Clickjacking') ) {
+ unless ( RT->Config->Get('DisableFramebusting') ) {
# XXX TODO: Do we want to make the value of this header configurable?
Plack::Util::header_set($res->[1], 'X-Frame-Options' => 'DENY');
}
diff --git a/share/html/Elements/Framekiller b/share/html/Elements/Framekiller
index 7af5f62..7218829 100644
--- a/share/html/Elements/Framekiller
+++ b/share/html/Elements/Framekiller
@@ -1,4 +1,4 @@
-% if ( RT->Config->ExtraSecurity('Clickjacking') ) {
+% unless ( RT->Config->Get('DisableFramebusting') ) {
%# This is defeatable. The current best known implemention uses CSS to hide
%# the content and JS to re-show it, but that fails poorly for clients that
%# don't run JS.
diff --git a/t/web/clickjacking-preventions.t b/t/web/clickjacking-preventions.t
index fda0877..b7eaf2f 100644
--- a/t/web/clickjacking-preventions.t
+++ b/t/web/clickjacking-preventions.t
@@ -2,14 +2,13 @@
use strict;
use warnings;
-use RT::Test tests => 14;
+use RT::Test tests => 11;
my ($url, $m);
# Enabled by default
{
- ok(RT->Config->ExtraSecurity('Clickjacking'), "RT->Config->ExtraSecurity reports Clickjacking enabled");
- ok(RT->Config->ExtraSecurity('clickjacking'), "RT->Config->ExtraSecurity reports clickjacking enabled");
+ ok(!RT->Config->Get('DisableFramebusting'), "Framebusting enabled by default");
($url, $m) = RT::Test->started_ok;
$m->get_ok($url);
@@ -21,9 +20,7 @@ my ($url, $m);
# Disabled
{
- RT->Config->Set('ExtraSecurity' => grep { !/clickjacking/i } RT->Config->Get('ExtraSecurity'));
- ok(!RT->Config->ExtraSecurity('Clickjacking'), "RT->Config->ExtraSecurity reports Clickjacking disabled");
- ok(!RT->Config->ExtraSecurity('clickjacking'), "RT->Config->ExtraSecurity reports clickjacking disabled");
+ RT->Config->Set('DisableFramebusting', 1);
($url, $m) = RT::Test->started_ok;
$m->get_ok($url);
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list