[Rt-commit] rt annotated tag, rt-4.0.7rc1, created. rt-4.0.7rc1

Kevin Falcone falcone at bestpractical.com
Tue Aug 21 13:19:41 EDT 2012


The annotated tag, rt-4.0.7rc1 has been created
        at  dbc6a81154d35fb88866465cb5839bf91a995430 (tag)
   tagging  8624e6fb8e4825fc8025fc94c70be7b49e92f232 (commit)
  replaces  rt-4.0.6
 tagged by  Kevin Falcone
        on  Mon Aug 20 18:25:52 2012 -0400

- Log -----------------------------------------------------------------
release 4.0.7rc1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)

iEYEABECAAYFAlAyuXAACgkQ0+gKWp5CJQpXpgCfZl/NHq8hrwirMUISswV2B8uD
OdIAoOhZaEniZBzz5aPpl0Sw+PDWIAaX
=g9KB
-----END PGP SIGNATURE-----

Alex Vandiver (137):
      Ignore the local directory which contains additional, temporarily non-public tests
      Pull back docs/security.pod from 4.0-trunk
      Add a note about the timeline on public announcements, tests, etc
      Avoid shell interpolation when calling sendmailpipe
      Merge branch '3.8/transaction-batch-twice' into 3.8-trunk
      Prevent storing the old or new hashed password in the transaction table
      Clean out sensitive user transactions
      Add a consistent CurrentUserCanSee right
      Enable ACL checks for non-Ticket transactions
      Remove unused $args and @arglist variables
      Explicitly ACL ObjectCustomFieldValue content, based on the custon field object
      There is no reason for ->NewValue and ->OldValue to skip ACLs via __Value
      Prevent actual error messages from propagating to the user
      Enable LastUpdated on Scrips by not walking around RT::Record->_Set
      Change =~ and !~ calls to be given an a regular expression
      Remove extra SendSessionCookie() calls
      Add basic HTTP_REFERER checking to prevent cross-site request forgery
      Whitelist some component (not request!) paths
      Redirect to an interstitial page on CSRF attacks, rather than denying
      Ensure that publicly cachable content does not contain Set-Cookie headers
      Allow file uploads to persist across CSRF interstitial
      Add optional CSRF login protection
      Allow REST requests to function regardless of Referer header
      Ensure that the new /l_unsafe is protected from direct access as well
      Overhaul what CSS we allow in style attributes to be safer *and* more useful
      Remove unused GenericQueryArgs parameter
      Similarly, there is no reason to configure AllowSorting
      Disallow setting arbitrary titles
      Disallow setting of roles via query params
      Always pass in status list to selfservice search
      Add a test to verify binary attachments round-trip
      Terminate the request if there isn't a CustomField or Context Argument
      Load and Validate Custom Field Context Objects
      When loading custom fields by queue, default the context object accordingly
      Set context objects on CFs explicitly whenever possible
      Consistently escape all possibly suspect characters in JS strings
      Merge branch 'security/3.8/vulnerable-passwords' into security/3.8-trunk
      Merge branch 'security/3.8/escape-flags' into security/3.8-trunk
      Merge branch 'security/3.8/slash-l-xss' into security/3.8-trunk
      Merge branch 'security/3.8/xss' into security/3.8-trunk
      Merge branch 'security/3.8/clickable-xss-links' into security/3.8-trunk
      Merge branch 'security/3.8/mason-runtime-errors' into security/3.8-trunk
      Merge branch 'security/3.8/scrub-class-id' into security/3.8-trunk
      Merge branch 'security/3.8/stricter-scrips-templates-acls' into security/3.8-trunk
      Merge branch 'security/3.8/selfservice' into security/3.8-trunk
      Merge branch 'security/3.8/shredder-dumps' into security/3.8-trunk
      Merge branch 'security/3.8/attachments' into security/3.8-trunk
      Merge branch 'security/3.8/cached-set-cookie' into security/3.8-trunk
      Merge branch 'security/3.8/transaction-leak' into security/3.8-trunk
      Merge branch 'security/3.8/csrf-referer' into security/3.8-trunk
      Merge branch 'security/3.8/arbitrary-methods' into security/3.8-trunk
      Merge branch 'security/3.8/verp-code-execution' into security/3.8-trunk
      Merge branch 'security/3.8/private-components' into security/3.8-trunk
      Merge branch 'security/3.8/installmode' into security/3.8-trunk
      Merge branch 'security/3.8/paging-injection' into security/3.8-trunk
      Merge branch 'security/3.8/graphviz-escaping' into security/3.8-trunk
      Merge branch 'security/3.8/custom-field-values' into security/3.8-trunk
      Ensure that all joins through CachedGroupMembers limits to non-disabled rows
      Merge branch 'security/3.8/disabled-group-members' into security/3.8-trunk
      Merge branch 'security/3.8/infrastructure' into security/3.8-trunk
      Remove an incorrect Disabled limit
      Safety-checking on classes loaded with `eval "require $class"`
      Remove a couple missed references to CSS2PIE
      $r->path_info is not reliable; use the request_comp's path
      $r->path_info is not reliable; use the full URI
      Fix a simple typo
      Allow the homepage refresh argument as an idempotent query parameter
      Abstract out creation of request tokens which bypass CSRF
      Rename LogoutURL to the more general-use RefreshURL
      Set the refresh URL on ticket results to a CRSF-safe one
      Clean up the error message in a common case of no explicit whitelisted hosts
      Merge branch 'security/3.8/interstitial-path' into security/3.8-trunk
      Merge branch 'security/3.8/refresh-csrf' into security/3.8-trunk
      Merge branch 'security/3.8/whitelist-csrf-referrer' into security/3.8-trunk
      Only enable CSRF argument stashing in refresh URL if CSRF is enabled
      AddAttachments must use $RT::SystemUser when searching for attachments to use
      Ensure that updated session is sent to clients after external auth
      Version bump for 3.8.12
      Merge branch '3.8.12-releng' into 3.8-trunk
      Merge branch '4.0.6-releng' into 4.0-trunk
      Merge branch '3.8-trunk' into 4.0-trunk
      Bump the FCGI dependency to one which closes FCGI's CVE-2011-2766
      Protect against undef field values in REST
      Merge branch '4.0/avoid-user-pref-in-css-files' into 4.0-trunk
      Merge branch '4.0/object-in-add-custom-field-value-error-msg' into 4.0-trunk
      Merge branch '4.0/no-charset-for-binary-attach' into 4.0-trunk
      Merge branch '4.0/mobile-user-agent' into 4.0-trunk
      Merge branch '4.0/skip-empty-values-in-email-completion' into 4.0-trunk
      Merge branch '4.0/cli-create-ticket-with-unknown-field' into 4.0-trunk
      Merge branch '4.0/cli-raw-print-links' into 4.0-trunk
      Merge branch '4.0/delete-subscriptions-in-dashboard-deletion' into 4.0-trunk
      Merge branch '4.0/email-action-avoid-hardcoded-resolved-status' into 4.0-trunk
      Merge branch '4.0/simple-search-cf-dashes' into 4.0-trunk
      Clarify wording on the error a bit
      Merge branch '4.0/self-service-tickets-top-level-link' into 4.0-trunk
      Merge branch '4.0/create-tickets-bad-template-warning' into 4.0-trunk
      Prevent a "There are 2 forms with the named fields" warning
      Merge branch '4.0/unicode-transaction-subjects' into 4.0-trunk
      Merge branch '4.0/testing-under-apache' into 4.0-trunk
      Merge branch '4.0/sqlite-schema-defaults' into 4.0-trunk
      Add a test for owner:email at address
      Merge branch '4.0/request-args-to-decoded-args' into 4.0-trunk
      Merge branch '4.0/case-insensitive-custom-field-searching' into 4.0-trunk
      Merge branch '4.0/simple-search-owner' into 4.0-trunk
      Merge branch '4.0/txn-anchor-position' into 4.0-trunk
      Slight rewording of RecordOutgoingEmail's effect on EmailFrequency
      Merge branch '4.0/hide-email-frequency-pref' into 4.0-trunk
      Merge branch '4.0/test-dependencies-conclusion-with-install' into 4.0-trunk
      Merge branch '4.0/optimize-customfield-upgrade' into 4.0-trunk
      Merge branch '4.0/dep-ipc-run-version' into 4.0-trunk
      Merge branch '4.0/expand-ticket-membmers-once' into 4.0-trunk
      Remove 9919763's assumption that all members are ticket objects
      Merge branch '4.0/exclude-disabled-user-cfs' into 4.0-trunk
      Merge branch '4.0/border-radius' into 4.0-trunk
      Merge branch '4.0/admin-queue-form-enctype' into 4.0-trunk
      Merge branch '4.0/approval-permission-error' into 4.0-trunk
      Merge branch '4.0/bootstrap-test-db-after-loading-classes' into 4.0-trunk
      Make the "Now" button in the timepicker look less disabled
      Patch timepicker to not force the textbox to update on click-away
      Make "Today" button work on date inputs when timepicker is installed
      Set requestor explicitly, as recipient at example.com is no longer cached
      Merge branch '4.0/warnings-avoidance-on-5.16' into 4.0-trunk
      Merge branch '4.0/flesh-out-jumbo-tests' into 4.0-trunk
      Merge branch '4.0/datetimepicker-ui' into 4.0-trunk
      Factor out case-insensitive content-type header checks into a variable
      This if() statement is guaranteed-true by the surrounding one
      Merge branch '4.0/multipart-message-display' into 4.0-trunk
      Merge branch '4.0/transactionbatch-currentuser-leak' into 4.0-trunk
      Warn if TransactionBatch would be triggered on shredded tickets
      Update shredder tests to heed the warning added in bc3212f
      Merge branch '4.0/canonicalize-uris-in-ticketsql' into 4.0-trunk
      Merge branch '4.0/referrer-whitelist-wildcards' into 4.0-trunk
      Merge branch '4.0/whitelist-search-results' into 4.0-trunk
      Merge branch '4.0/stop-shredder-dataloss' into 4.0-trunk
      Merge branch '4.0/rest-drop-wrong-email-test' into 4.0-trunk
      Merge branch '4.0/same-query-in-both-queue-summary-by' into 4.0-trunk
      Merge branch '4.0/template-tests' into 4.0-trunk

Dominic Hargreaves (1):
      Correct 'warn' log method to warning

Jason May (2):
      Test ticket date submissions in Jumbo
      Test adding watchers in Jumbo

Jesse Vincent (2):
      Move the meat of ScrubHTML into RT::Interface::Web::ScrubHTML
      Perl 5.16 is much pickier about undef values being passed to the utf8 subs

Jim Brandt (14):
      Add DECRYPTION_INFO to ignore_keywords.
      Exclude disabled CFs in Limit calls.
      Make content searches in Articles case-insensitive.
      Allow dashes in cf names in simple search.
      Add IncludeArticle flag to MessageBox
      Remove CASESENSITIVE from NULL value Limit.
      Remove tabs and fix indent on Limit calls.
      Make case insensitive article search test TODO on mysql
      Test showing iso-8859-1 encoding is dropped from EmailInputEncodings
      Retain canonical encodings in EmailInputEncodings
      Update table_info call to get back table data for test SQLite DB
      Make shredder test TODO for remaining transaction and link after shred
      Loop with values, not each, in WipeoutAll to avoid side effects
      Update lifecycle documentation on statuses available at ticket creation

Kevin Falcone (40):
      TransactionBatch scrips are triggered twice
      We were running afoul DBIx::SearchBuilder::Record::Cachable
      Add a test that confirms that the CurrentUser isn't changed
      Stop TransactionBatch scrips from running twice.
      Push this logic down into Prepare and Commit
      Confirm that our Priority is 0
      If the CreateTickets template isn't valid, tell the admin
      Combine multiple ALTER statements into single statements.
      Catch more places where we ALTER TABLE multiple times on a large table
      Add a few more multi-table alters
      We did not find and upgrade passwords for disabled users.
      Tell users and admins what Referrer we wanted
      Encourage users to look in the logs when an error happens.
      Switch to our so that extensions can whitelist components
      Add a new ReferrerWhitelist config option
      Document how to pull from the error into the config
      Merge branch '4.0/messagebox-include-article-flag' into 4.0-trunk
      GPG 1.4.12 tweaked the header on the trustdb
      Merge branch '4.0/more-about-requestors-pref-consistency' into 4.0-trunk
      Merge branch '4.0/scrip-lastupdated' into 4.0-trunk
      Merge branch '4.0/gnupg-ignore-keyword-decryption-info' into 4.0-trunk
      Make CustomField TicketSQL queries case insensitive
      Merge branch '4.0/dont-assume-members-are-tickets' into 4.0-trunk
      We're not cleaning up all CurrentUsers in TransactionBatch
      Start forcibly loading the Ticket object we use in Scrips
      Implement a TransactionBatch Guard function
      Remove some repeated code.
      Merge branch '4.0/shredded-transactionbatch' into 4.0-trunk
      Whitelist Search/{Results.html,Simple.html}
      Whitelist /m/tickets/search
      Merge branch '4.0/fcgi-env-vulnerability' into 4.0-trunk
      Merge branch '4.0/remove-css3pie-references' into 4.0-trunk
      Merge branch '4.0/match-on-regex-not-string' into 4.0-trunk
      Merge branch '4.0/remove-web-external-only' into 4.0-trunk
      Merge branch '4.0/lifecycles-documentation-fix' into 4.0-trunk
      Merge branch '4.0/bad-version-of-email-address-module' into 4.0-trunk
      Merge branch '4.0/extract-ticket-id-function' into 4.0-trunk
      Merge branch '4.0/make-sure-utf8-is-utf8' into 4.0-trunk
      Merge branch '4.0/case-insensitive-article-search' into 4.0-trunk
      Bump incorrect test count

Ruslan Zakirov (13):
      load classes then bootstrap DB for tests
      sync queries in QueueSummaryBy*
      avoid Email::Address 1.89[34], too strict
      Merge remote-tracking branch 'origin/4.0/current-user-outdated-email-name-fix' into 4.0-trunk
      no need in this naive email check, it's wrong
      refactor old test file and test more
      replace template.t with template-insert.t
      minor test refactoring before we change it futher
      allow to pass arguments when testing templates
      rename template-simple.t to template-parsing.t
      don't skip conversion from utf8 to utf8
      delete exit; call from test file
      factor out ExtractTicketId function on top of ParseTicketId

Shawn M Moore (1):
      Explicitly pass the type of escaping we want to apply_escapes

Thomas Sibley (59):
      Refactor common datepicker options
      Easier date selection through datepicker options
      Replace timepickr with a new one that is well integrated into the datepicker
      Add the new timepicker and jQuery UI JS to our third party sources
      Merge branch '3.8/ie7js-cleanup' into 3.8-trunk
      Merge branch '3.8/topactions-form-css-fix' into 3.8-trunk
      Position anchors in history so the transaction summary line is visible
      The "lasttrans" anchor should be invisible and take up no space
      Don't shift the datetime picker up if it would hit the bottom
      A failing test case for unicode in the transaction subject
      Headers we shove into MIME::Head objects should always be octets
      Bring SQLite column defaults up to parity with our MySQL schema
      Escape all arguments passed to /l
      Only run known formatters in RT::Date
      Require valid names for the format methods called by LocalizedDateTime
      Validate the requested link types when graphing relationships
      Explicitly override any Graph parameter passed into RT::Graph::Tickets
      Prevent user-controlled partial component paths from walking up directories
      Make CheckIntegrity idempotent on a running install
      Refuse to turn on InstallMode when we have database integrity
      Iterate attachments as the creator of the current transaction when sending mail
      Forbid javascript: and data: ticket links to avoid clickable XSS vectors
      Escape backslashes in text used for GraphViz input
      Check ACLs on the receiving end when modifying a scrip's Queue or Template
      Check ACLs on the receiving end when modifying a Template's Queue
      Allow blockquotes in our HTML so quote folding works
      RowsPerPage and FirstRow only accept natural numbers and undef
      Refactor HTML scrubbing to make it easier to customize what is allowed
      Add a way to specify tag-specific attribute rules for scrubbing
      Scrub class and id attributes from HTML instead of passing them through
      Inherit from the normal autohandler chain when serving Shredder backups
      Ensure the empty CFVs collection never returns results after a failed rights check
      Push id = 0 limits into an ACL subclause
      Prevent linking directly to CF values when the value is a data: URI
      Escape wrap parameter when rendering a message box
      Escape NamePrefix to avoid XSS if it's passed into EditCustomField
      Close an XSS vector via BaseURL in collection lists
      Test that RT::Users->WhoHaveRight doesn't pick up disabled groups
      Reliably negate --install when automatically re-running rt-test-dependencies
      Clean up some other SQLite defaults missed by the previous commit
      Set ServerName to avoid warnings from apache during testing
      Set %Lifecycles explicitly so RT::Test can write it to disk for apache
      Use active/inactive in the pref for consistency with the UI itself
      Document the arguments passed to the Handle* methods
      Make owner:user at example.com work as the in-page simple search documentation claims
      Merge branch '4.0/rest-undef-values' into 4.0-trunk
      Specify border-radius, or equivalent, alongside vendor-prefixed versions
      Self Service: Link the top-level menu item "Tickets" to Open Tickets
      Use $DECODED_ARGS instead of $m->request_args
      Backport a jQuery UI Mouse patch to fix sliders on IE 9
      Remove a trailing comma that causes IE 7 to choke
      Upgrade the timepicker to the latest stable version
      Only display textual parts under multipart/related if they're preferred
      Ignore case when looking at Content-Type for $PreferRichText
      WebExternalOnly was renamed to WebFallbackToInternalAuth
      Allow simple wildcard matching in @ReferrerWhitelist
      Canonicalize URIs in TicketSQL link limits
      Tests for the new RT::URI->CanonicalizeURI
      RT not RT3

sunnavy (29):
      make *all* the forms in topactions float, see also #12796
      topactions css lives in layout.css
      we don't use ie7.js any more
      don't expand the ticket if it's expanded before.
      don't check user pref "UseSideBySideLayout" in css files
      sidebyside layout test
      not set charset in content-type if the attachment is binary
      run rt-test-dependencies again to get conclusion right if with --install
      $args{Field} could be a cf object
      force to use rawprint to show ticket links
      test show links from cli without specifying format
      use multipart/form-data as queue could have upload custom fields
      add RT::Ticket::FirstInactiveStatus to avoid hardcoded "resolved" status in email interface
      delete subscriptions automatically when deleting dashboards
      update tests as now subscriptions are cleaned up automaticlaly
      make it mobile as long as user agent contains "mobile"
      use exec to keep the exit code
      don't create ticket if there is unknown field
      cli test of creating ticket with unknown field
      show "No permission" so user knows what is going on
      skip empty values as it returns nothing in completion
      we can/should filter empty values in sql instead
      IPC::Run < 0.90 miscalculates length of UTF-8 strings
      we need GD in dashboard chart test
      hide EmailFrequency pref if RecordOutgoingEmail is off
      load current user on every request to keep the info up to date
      use CurrentUser->EmailAddress consistently
      test for updated email of current user
      typo fix: we use "var/mason_data" instead of "var/mason" like in jifty

-----------------------------------------------------------------------


More information about the Rt-commit mailing list