[Rt-commit] rt annotated tag, rt-4.0.7rc1, created. rt-4.0.7rc1
Kevin Falcone
falcone at bestpractical.com
Tue Aug 21 13:19:41 EDT 2012
The annotated tag, rt-4.0.7rc1 has been created
at dbc6a81154d35fb88866465cb5839bf91a995430 (tag)
tagging 8624e6fb8e4825fc8025fc94c70be7b49e92f232 (commit)
replaces rt-4.0.6
tagged by Kevin Falcone
on Mon Aug 20 18:25:52 2012 -0400
- Log -----------------------------------------------------------------
release 4.0.7rc1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
iEYEABECAAYFAlAyuXAACgkQ0+gKWp5CJQpXpgCfZl/NHq8hrwirMUISswV2B8uD
OdIAoOhZaEniZBzz5aPpl0Sw+PDWIAaX
=g9KB
-----END PGP SIGNATURE-----
Alex Vandiver (137):
Ignore the local directory which contains additional, temporarily non-public tests
Pull back docs/security.pod from 4.0-trunk
Add a note about the timeline on public announcements, tests, etc
Avoid shell interpolation when calling sendmailpipe
Merge branch '3.8/transaction-batch-twice' into 3.8-trunk
Prevent storing the old or new hashed password in the transaction table
Clean out sensitive user transactions
Add a consistent CurrentUserCanSee right
Enable ACL checks for non-Ticket transactions
Remove unused $args and @arglist variables
Explicitly ACL ObjectCustomFieldValue content, based on the custon field object
There is no reason for ->NewValue and ->OldValue to skip ACLs via __Value
Prevent actual error messages from propagating to the user
Enable LastUpdated on Scrips by not walking around RT::Record->_Set
Change =~ and !~ calls to be given an a regular expression
Remove extra SendSessionCookie() calls
Add basic HTTP_REFERER checking to prevent cross-site request forgery
Whitelist some component (not request!) paths
Redirect to an interstitial page on CSRF attacks, rather than denying
Ensure that publicly cachable content does not contain Set-Cookie headers
Allow file uploads to persist across CSRF interstitial
Add optional CSRF login protection
Allow REST requests to function regardless of Referer header
Ensure that the new /l_unsafe is protected from direct access as well
Overhaul what CSS we allow in style attributes to be safer *and* more useful
Remove unused GenericQueryArgs parameter
Similarly, there is no reason to configure AllowSorting
Disallow setting arbitrary titles
Disallow setting of roles via query params
Always pass in status list to selfservice search
Add a test to verify binary attachments round-trip
Terminate the request if there isn't a CustomField or Context Argument
Load and Validate Custom Field Context Objects
When loading custom fields by queue, default the context object accordingly
Set context objects on CFs explicitly whenever possible
Consistently escape all possibly suspect characters in JS strings
Merge branch 'security/3.8/vulnerable-passwords' into security/3.8-trunk
Merge branch 'security/3.8/escape-flags' into security/3.8-trunk
Merge branch 'security/3.8/slash-l-xss' into security/3.8-trunk
Merge branch 'security/3.8/xss' into security/3.8-trunk
Merge branch 'security/3.8/clickable-xss-links' into security/3.8-trunk
Merge branch 'security/3.8/mason-runtime-errors' into security/3.8-trunk
Merge branch 'security/3.8/scrub-class-id' into security/3.8-trunk
Merge branch 'security/3.8/stricter-scrips-templates-acls' into security/3.8-trunk
Merge branch 'security/3.8/selfservice' into security/3.8-trunk
Merge branch 'security/3.8/shredder-dumps' into security/3.8-trunk
Merge branch 'security/3.8/attachments' into security/3.8-trunk
Merge branch 'security/3.8/cached-set-cookie' into security/3.8-trunk
Merge branch 'security/3.8/transaction-leak' into security/3.8-trunk
Merge branch 'security/3.8/csrf-referer' into security/3.8-trunk
Merge branch 'security/3.8/arbitrary-methods' into security/3.8-trunk
Merge branch 'security/3.8/verp-code-execution' into security/3.8-trunk
Merge branch 'security/3.8/private-components' into security/3.8-trunk
Merge branch 'security/3.8/installmode' into security/3.8-trunk
Merge branch 'security/3.8/paging-injection' into security/3.8-trunk
Merge branch 'security/3.8/graphviz-escaping' into security/3.8-trunk
Merge branch 'security/3.8/custom-field-values' into security/3.8-trunk
Ensure that all joins through CachedGroupMembers limits to non-disabled rows
Merge branch 'security/3.8/disabled-group-members' into security/3.8-trunk
Merge branch 'security/3.8/infrastructure' into security/3.8-trunk
Remove an incorrect Disabled limit
Safety-checking on classes loaded with `eval "require $class"`
Remove a couple missed references to CSS2PIE
$r->path_info is not reliable; use the request_comp's path
$r->path_info is not reliable; use the full URI
Fix a simple typo
Allow the homepage refresh argument as an idempotent query parameter
Abstract out creation of request tokens which bypass CSRF
Rename LogoutURL to the more general-use RefreshURL
Set the refresh URL on ticket results to a CRSF-safe one
Clean up the error message in a common case of no explicit whitelisted hosts
Merge branch 'security/3.8/interstitial-path' into security/3.8-trunk
Merge branch 'security/3.8/refresh-csrf' into security/3.8-trunk
Merge branch 'security/3.8/whitelist-csrf-referrer' into security/3.8-trunk
Only enable CSRF argument stashing in refresh URL if CSRF is enabled
AddAttachments must use $RT::SystemUser when searching for attachments to use
Ensure that updated session is sent to clients after external auth
Version bump for 3.8.12
Merge branch '3.8.12-releng' into 3.8-trunk
Merge branch '4.0.6-releng' into 4.0-trunk
Merge branch '3.8-trunk' into 4.0-trunk
Bump the FCGI dependency to one which closes FCGI's CVE-2011-2766
Protect against undef field values in REST
Merge branch '4.0/avoid-user-pref-in-css-files' into 4.0-trunk
Merge branch '4.0/object-in-add-custom-field-value-error-msg' into 4.0-trunk
Merge branch '4.0/no-charset-for-binary-attach' into 4.0-trunk
Merge branch '4.0/mobile-user-agent' into 4.0-trunk
Merge branch '4.0/skip-empty-values-in-email-completion' into 4.0-trunk
Merge branch '4.0/cli-create-ticket-with-unknown-field' into 4.0-trunk
Merge branch '4.0/cli-raw-print-links' into 4.0-trunk
Merge branch '4.0/delete-subscriptions-in-dashboard-deletion' into 4.0-trunk
Merge branch '4.0/email-action-avoid-hardcoded-resolved-status' into 4.0-trunk
Merge branch '4.0/simple-search-cf-dashes' into 4.0-trunk
Clarify wording on the error a bit
Merge branch '4.0/self-service-tickets-top-level-link' into 4.0-trunk
Merge branch '4.0/create-tickets-bad-template-warning' into 4.0-trunk
Prevent a "There are 2 forms with the named fields" warning
Merge branch '4.0/unicode-transaction-subjects' into 4.0-trunk
Merge branch '4.0/testing-under-apache' into 4.0-trunk
Merge branch '4.0/sqlite-schema-defaults' into 4.0-trunk
Add a test for owner:email at address
Merge branch '4.0/request-args-to-decoded-args' into 4.0-trunk
Merge branch '4.0/case-insensitive-custom-field-searching' into 4.0-trunk
Merge branch '4.0/simple-search-owner' into 4.0-trunk
Merge branch '4.0/txn-anchor-position' into 4.0-trunk
Slight rewording of RecordOutgoingEmail's effect on EmailFrequency
Merge branch '4.0/hide-email-frequency-pref' into 4.0-trunk
Merge branch '4.0/test-dependencies-conclusion-with-install' into 4.0-trunk
Merge branch '4.0/optimize-customfield-upgrade' into 4.0-trunk
Merge branch '4.0/dep-ipc-run-version' into 4.0-trunk
Merge branch '4.0/expand-ticket-membmers-once' into 4.0-trunk
Remove 9919763's assumption that all members are ticket objects
Merge branch '4.0/exclude-disabled-user-cfs' into 4.0-trunk
Merge branch '4.0/border-radius' into 4.0-trunk
Merge branch '4.0/admin-queue-form-enctype' into 4.0-trunk
Merge branch '4.0/approval-permission-error' into 4.0-trunk
Merge branch '4.0/bootstrap-test-db-after-loading-classes' into 4.0-trunk
Make the "Now" button in the timepicker look less disabled
Patch timepicker to not force the textbox to update on click-away
Make "Today" button work on date inputs when timepicker is installed
Set requestor explicitly, as recipient at example.com is no longer cached
Merge branch '4.0/warnings-avoidance-on-5.16' into 4.0-trunk
Merge branch '4.0/flesh-out-jumbo-tests' into 4.0-trunk
Merge branch '4.0/datetimepicker-ui' into 4.0-trunk
Factor out case-insensitive content-type header checks into a variable
This if() statement is guaranteed-true by the surrounding one
Merge branch '4.0/multipart-message-display' into 4.0-trunk
Merge branch '4.0/transactionbatch-currentuser-leak' into 4.0-trunk
Warn if TransactionBatch would be triggered on shredded tickets
Update shredder tests to heed the warning added in bc3212f
Merge branch '4.0/canonicalize-uris-in-ticketsql' into 4.0-trunk
Merge branch '4.0/referrer-whitelist-wildcards' into 4.0-trunk
Merge branch '4.0/whitelist-search-results' into 4.0-trunk
Merge branch '4.0/stop-shredder-dataloss' into 4.0-trunk
Merge branch '4.0/rest-drop-wrong-email-test' into 4.0-trunk
Merge branch '4.0/same-query-in-both-queue-summary-by' into 4.0-trunk
Merge branch '4.0/template-tests' into 4.0-trunk
Dominic Hargreaves (1):
Correct 'warn' log method to warning
Jason May (2):
Test ticket date submissions in Jumbo
Test adding watchers in Jumbo
Jesse Vincent (2):
Move the meat of ScrubHTML into RT::Interface::Web::ScrubHTML
Perl 5.16 is much pickier about undef values being passed to the utf8 subs
Jim Brandt (14):
Add DECRYPTION_INFO to ignore_keywords.
Exclude disabled CFs in Limit calls.
Make content searches in Articles case-insensitive.
Allow dashes in cf names in simple search.
Add IncludeArticle flag to MessageBox
Remove CASESENSITIVE from NULL value Limit.
Remove tabs and fix indent on Limit calls.
Make case insensitive article search test TODO on mysql
Test showing iso-8859-1 encoding is dropped from EmailInputEncodings
Retain canonical encodings in EmailInputEncodings
Update table_info call to get back table data for test SQLite DB
Make shredder test TODO for remaining transaction and link after shred
Loop with values, not each, in WipeoutAll to avoid side effects
Update lifecycle documentation on statuses available at ticket creation
Kevin Falcone (40):
TransactionBatch scrips are triggered twice
We were running afoul DBIx::SearchBuilder::Record::Cachable
Add a test that confirms that the CurrentUser isn't changed
Stop TransactionBatch scrips from running twice.
Push this logic down into Prepare and Commit
Confirm that our Priority is 0
If the CreateTickets template isn't valid, tell the admin
Combine multiple ALTER statements into single statements.
Catch more places where we ALTER TABLE multiple times on a large table
Add a few more multi-table alters
We did not find and upgrade passwords for disabled users.
Tell users and admins what Referrer we wanted
Encourage users to look in the logs when an error happens.
Switch to our so that extensions can whitelist components
Add a new ReferrerWhitelist config option
Document how to pull from the error into the config
Merge branch '4.0/messagebox-include-article-flag' into 4.0-trunk
GPG 1.4.12 tweaked the header on the trustdb
Merge branch '4.0/more-about-requestors-pref-consistency' into 4.0-trunk
Merge branch '4.0/scrip-lastupdated' into 4.0-trunk
Merge branch '4.0/gnupg-ignore-keyword-decryption-info' into 4.0-trunk
Make CustomField TicketSQL queries case insensitive
Merge branch '4.0/dont-assume-members-are-tickets' into 4.0-trunk
We're not cleaning up all CurrentUsers in TransactionBatch
Start forcibly loading the Ticket object we use in Scrips
Implement a TransactionBatch Guard function
Remove some repeated code.
Merge branch '4.0/shredded-transactionbatch' into 4.0-trunk
Whitelist Search/{Results.html,Simple.html}
Whitelist /m/tickets/search
Merge branch '4.0/fcgi-env-vulnerability' into 4.0-trunk
Merge branch '4.0/remove-css3pie-references' into 4.0-trunk
Merge branch '4.0/match-on-regex-not-string' into 4.0-trunk
Merge branch '4.0/remove-web-external-only' into 4.0-trunk
Merge branch '4.0/lifecycles-documentation-fix' into 4.0-trunk
Merge branch '4.0/bad-version-of-email-address-module' into 4.0-trunk
Merge branch '4.0/extract-ticket-id-function' into 4.0-trunk
Merge branch '4.0/make-sure-utf8-is-utf8' into 4.0-trunk
Merge branch '4.0/case-insensitive-article-search' into 4.0-trunk
Bump incorrect test count
Ruslan Zakirov (13):
load classes then bootstrap DB for tests
sync queries in QueueSummaryBy*
avoid Email::Address 1.89[34], too strict
Merge remote-tracking branch 'origin/4.0/current-user-outdated-email-name-fix' into 4.0-trunk
no need in this naive email check, it's wrong
refactor old test file and test more
replace template.t with template-insert.t
minor test refactoring before we change it futher
allow to pass arguments when testing templates
rename template-simple.t to template-parsing.t
don't skip conversion from utf8 to utf8
delete exit; call from test file
factor out ExtractTicketId function on top of ParseTicketId
Shawn M Moore (1):
Explicitly pass the type of escaping we want to apply_escapes
Thomas Sibley (59):
Refactor common datepicker options
Easier date selection through datepicker options
Replace timepickr with a new one that is well integrated into the datepicker
Add the new timepicker and jQuery UI JS to our third party sources
Merge branch '3.8/ie7js-cleanup' into 3.8-trunk
Merge branch '3.8/topactions-form-css-fix' into 3.8-trunk
Position anchors in history so the transaction summary line is visible
The "lasttrans" anchor should be invisible and take up no space
Don't shift the datetime picker up if it would hit the bottom
A failing test case for unicode in the transaction subject
Headers we shove into MIME::Head objects should always be octets
Bring SQLite column defaults up to parity with our MySQL schema
Escape all arguments passed to /l
Only run known formatters in RT::Date
Require valid names for the format methods called by LocalizedDateTime
Validate the requested link types when graphing relationships
Explicitly override any Graph parameter passed into RT::Graph::Tickets
Prevent user-controlled partial component paths from walking up directories
Make CheckIntegrity idempotent on a running install
Refuse to turn on InstallMode when we have database integrity
Iterate attachments as the creator of the current transaction when sending mail
Forbid javascript: and data: ticket links to avoid clickable XSS vectors
Escape backslashes in text used for GraphViz input
Check ACLs on the receiving end when modifying a scrip's Queue or Template
Check ACLs on the receiving end when modifying a Template's Queue
Allow blockquotes in our HTML so quote folding works
RowsPerPage and FirstRow only accept natural numbers and undef
Refactor HTML scrubbing to make it easier to customize what is allowed
Add a way to specify tag-specific attribute rules for scrubbing
Scrub class and id attributes from HTML instead of passing them through
Inherit from the normal autohandler chain when serving Shredder backups
Ensure the empty CFVs collection never returns results after a failed rights check
Push id = 0 limits into an ACL subclause
Prevent linking directly to CF values when the value is a data: URI
Escape wrap parameter when rendering a message box
Escape NamePrefix to avoid XSS if it's passed into EditCustomField
Close an XSS vector via BaseURL in collection lists
Test that RT::Users->WhoHaveRight doesn't pick up disabled groups
Reliably negate --install when automatically re-running rt-test-dependencies
Clean up some other SQLite defaults missed by the previous commit
Set ServerName to avoid warnings from apache during testing
Set %Lifecycles explicitly so RT::Test can write it to disk for apache
Use active/inactive in the pref for consistency with the UI itself
Document the arguments passed to the Handle* methods
Make owner:user at example.com work as the in-page simple search documentation claims
Merge branch '4.0/rest-undef-values' into 4.0-trunk
Specify border-radius, or equivalent, alongside vendor-prefixed versions
Self Service: Link the top-level menu item "Tickets" to Open Tickets
Use $DECODED_ARGS instead of $m->request_args
Backport a jQuery UI Mouse patch to fix sliders on IE 9
Remove a trailing comma that causes IE 7 to choke
Upgrade the timepicker to the latest stable version
Only display textual parts under multipart/related if they're preferred
Ignore case when looking at Content-Type for $PreferRichText
WebExternalOnly was renamed to WebFallbackToInternalAuth
Allow simple wildcard matching in @ReferrerWhitelist
Canonicalize URIs in TicketSQL link limits
Tests for the new RT::URI->CanonicalizeURI
RT not RT3
sunnavy (29):
make *all* the forms in topactions float, see also #12796
topactions css lives in layout.css
we don't use ie7.js any more
don't expand the ticket if it's expanded before.
don't check user pref "UseSideBySideLayout" in css files
sidebyside layout test
not set charset in content-type if the attachment is binary
run rt-test-dependencies again to get conclusion right if with --install
$args{Field} could be a cf object
force to use rawprint to show ticket links
test show links from cli without specifying format
use multipart/form-data as queue could have upload custom fields
add RT::Ticket::FirstInactiveStatus to avoid hardcoded "resolved" status in email interface
delete subscriptions automatically when deleting dashboards
update tests as now subscriptions are cleaned up automaticlaly
make it mobile as long as user agent contains "mobile"
use exec to keep the exit code
don't create ticket if there is unknown field
cli test of creating ticket with unknown field
show "No permission" so user knows what is going on
skip empty values as it returns nothing in completion
we can/should filter empty values in sql instead
IPC::Run < 0.90 miscalculates length of UTF-8 strings
we need GD in dashboard chart test
hide EmailFrequency pref if RecordOutgoingEmail is off
load current user on every request to keep the info up to date
use CurrentUser->EmailAddress consistently
test for updated email of current user
typo fix: we use "var/mason_data" instead of "var/mason" like in jifty
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list