[Rt-commit] rt annotated tag, rt-3.8.12, created. rt-3.8.12
Alex Vandiver
alexmv at bestpractical.com
Tue May 22 12:16:15 EDT 2012
The annotated tag, rt-3.8.12 has been created
at f73a0545274ef887bfc67d468dc366974bfd48bc (tag)
tagging 488f351cb105ef21f6952b14fb8ec1a1aa630967 (commit)
replaces rt-3.8.11
tagged by Alex Vandiver
on Tue May 22 09:11:48 2012 -0400
- Log -----------------------------------------------------------------
release 3.8.12
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEABECAAYFAk+7kJQACgkQMflWJZZAbqDmggCdHvePxpgPCk08ewWUJjEmJF/q
dUUAoIYDFQXdaUy0tiVKt5PcDxQU4syX
=LNNJ
-----END PGP SIGNATURE-----
Alex Vandiver (76):
Merge branch '3.8.11-releng' into 3.8-trunk
Ignore the local directory which contains additional, temporarily non-public tests
Pull back docs/security.pod from 4.0-trunk
Add a note about the timeline on public announcements, tests, etc
Avoid shell interpolation when calling sendmailpipe
Merge branch '3.8/transaction-batch-twice' into 3.8-trunk
Prevent storing the old or new hashed password in the transaction table
Clean out sensitive user transactions
Add a consistent CurrentUserCanSee right
Enable ACL checks for non-Ticket transactions
Remove unused $args and @arglist variables
Explicitly ACL ObjectCustomFieldValue content, based on the custon field object
There is no reason for ->NewValue and ->OldValue to skip ACLs via __Value
Prevent actual error messages from propagating to the user
Remove extra SendSessionCookie() calls
Add basic HTTP_REFERER checking to prevent cross-site request forgery
Whitelist some component (not request!) paths
Redirect to an interstitial page on CSRF attacks, rather than denying
Ensure that publicly cachable content does not contain Set-Cookie headers
Allow file uploads to persist across CSRF interstitial
Add optional CSRF login protection
Allow REST requests to function regardless of Referer header
Ensure that the new /l_unsafe is protected from direct access as well
Overhaul what CSS we allow in style attributes to be safer *and* more useful
Remove unused GenericQueryArgs parameter
Similarly, there is no reason to configure AllowSorting
Disallow setting arbitrary titles
Disallow setting of roles via query params
Always pass in status list to selfservice search
Add a test to verify binary attachments round-trip
Terminate the request if there isn't a CustomField or Context Argument
Load and Validate Custom Field Context Objects
When loading custom fields by queue, default the context object accordingly
Set context objects on CFs explicitly whenever possible
Consistently escape all possibly suspect characters in JS strings
Merge branch 'security/3.8/vulnerable-passwords' into security/3.8-trunk
Merge branch 'security/3.8/escape-flags' into security/3.8-trunk
Merge branch 'security/3.8/slash-l-xss' into security/3.8-trunk
Merge branch 'security/3.8/xss' into security/3.8-trunk
Merge branch 'security/3.8/clickable-xss-links' into security/3.8-trunk
Merge branch 'security/3.8/mason-runtime-errors' into security/3.8-trunk
Merge branch 'security/3.8/scrub-class-id' into security/3.8-trunk
Merge branch 'security/3.8/stricter-scrips-templates-acls' into security/3.8-trunk
Merge branch 'security/3.8/selfservice' into security/3.8-trunk
Merge branch 'security/3.8/shredder-dumps' into security/3.8-trunk
Merge branch 'security/3.8/attachments' into security/3.8-trunk
Merge branch 'security/3.8/cached-set-cookie' into security/3.8-trunk
Merge branch 'security/3.8/transaction-leak' into security/3.8-trunk
Merge branch 'security/3.8/csrf-referer' into security/3.8-trunk
Merge branch 'security/3.8/arbitrary-methods' into security/3.8-trunk
Merge branch 'security/3.8/verp-code-execution' into security/3.8-trunk
Merge branch 'security/3.8/private-components' into security/3.8-trunk
Merge branch 'security/3.8/installmode' into security/3.8-trunk
Merge branch 'security/3.8/paging-injection' into security/3.8-trunk
Merge branch 'security/3.8/graphviz-escaping' into security/3.8-trunk
Merge branch 'security/3.8/custom-field-values' into security/3.8-trunk
Ensure that all joins through CachedGroupMembers limits to non-disabled rows
Merge branch 'security/3.8/disabled-group-members' into security/3.8-trunk
Merge branch 'security/3.8/infrastructure' into security/3.8-trunk
Remove an incorrect Disabled limit
Safety-checking on classes loaded with `eval "require $class"`
$r->path_info is not reliable; use the request_comp's path
$r->path_info is not reliable; use the full URI
Fix a simple typo
Allow the homepage refresh argument as an idempotent query parameter
Abstract out creation of request tokens which bypass CSRF
Rename LogoutURL to the more general-use RefreshURL
Set the refresh URL on ticket results to a CRSF-safe one
Clean up the error message in a common case of no explicit whitelisted hosts
Merge branch 'security/3.8/interstitial-path' into security/3.8-trunk
Merge branch 'security/3.8/refresh-csrf' into security/3.8-trunk
Merge branch 'security/3.8/whitelist-csrf-referrer' into security/3.8-trunk
Only enable CSRF argument stashing in refresh URL if CSRF is enabled
AddAttachments must use $RT::SystemUser when searching for attachments to use
Ensure that updated session is sent to clients after external auth
Version bump for 3.8.12
Dominic Hargreaves (1):
Correct 'warn' log method to warning
Jesse Vincent (1):
Move the meat of ScrubHTML into RT::Interface::Web::ScrubHTML
Kevin Falcone (13):
TransactionBatch scrips are triggered twice
We were running afoul DBIx::SearchBuilder::Record::Cachable
Add a test that confirms that the CurrentUser isn't changed
Stop TransactionBatch scrips from running twice.
Push this logic down into Prepare and Commit
Confirm that our Priority is 0
Merge branch '3.8/upgrade-prototype.js' into 3.8-trunk
We did not find and upgrade passwords for disabled users.
Tell users and admins what Referrer we wanted
Encourage users to look in the logs when an error happens.
Switch to our so that extensions can whitelist components
Add a new ReferrerWhitelist config option
Document how to pull from the error into the config
Shawn M Moore (1):
Explicitly pass the type of escaping we want to apply_escapes
Thomas Sibley (28):
Merge branch '3.8/ie7js-cleanup' into 3.8-trunk
Merge branch '3.8/topactions-form-css-fix' into 3.8-trunk
Escape all arguments passed to /l
Only run known formatters in RT::Date
Require valid names for the format methods called by LocalizedDateTime
Validate the requested link types when graphing relationships
Explicitly override any Graph parameter passed into RT::Graph::Tickets
Prevent user-controlled partial component paths from walking up directories
Make CheckIntegrity idempotent on a running install
Refuse to turn on InstallMode when we have database integrity
Iterate attachments as the creator of the current transaction when sending mail
Forbid javascript: and data: ticket links to avoid clickable XSS vectors
Escape backslashes in text used for GraphViz input
Check ACLs on the receiving end when modifying a scrip's Queue or Template
Check ACLs on the receiving end when modifying a Template's Queue
Allow blockquotes in our HTML so quote folding works
RowsPerPage and FirstRow only accept natural numbers and undef
Refactor HTML scrubbing to make it easier to customize what is allowed
Add a way to specify tag-specific attribute rules for scrubbing
Scrub class and id attributes from HTML instead of passing them through
Inherit from the normal autohandler chain when serving Shredder backups
Ensure the empty CFVs collection never returns results after a failed rights check
Push id = 0 limits into an ACL subclause
Prevent linking directly to CF values when the value is a data: URI
Escape wrap parameter when rendering a message box
Escape NamePrefix to avoid XSS if it's passed into EditCustomField
Close an XSS vector via BaseURL in collection lists
Test that RT::Users->WhoHaveRight doesn't pick up disabled groups
Wes (1):
older version of prototype.js breaks the incorporation of google charts api into RT, consider including 1.7 (11/2010 version).
sunnavy (3):
make *all* the forms in topactions float, see also #12796
topactions css lives in layout.css
we don't use ie7.js any more
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list