[Rt-commit] rt annotated tag, rt-4.0.6rc1, created. rt-4.0.6rc1

Alex Vandiver alexmv at bestpractical.com
Tue May 22 12:16:15 EDT 2012


The annotated tag, rt-4.0.6rc1 has been created
        at  42e4237083acb677a58d6b7b46eb93ea5ccfe589 (tag)
   tagging  fa9c4b4b218ea231c048312a3ca0be76b3231a1e (commit)
  replaces  rt-4.0.5
 tagged by  Alex Vandiver
        on  Wed Apr 25 20:06:49 2012 -0400

- Log -----------------------------------------------------------------
release 4.0.6rc1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEABECAAYFAk+7acMACgkQMflWJZZAbqCLkQCdGvDzeSUUif31xk7wzGrc6ZAc
PzcAnRDF63OMECikYwSBAp+Hfz9lAhoU
=3otp
-----END PGP SIGNATURE-----

Alex Vandiver (114):
      Remove unused GenericQueryArgs parameter
      Similarly, there is no reason to configure AllowSorting
      Disallow setting arbitrary titles
      Disallow setting of roles via query params
      Fix quoting in GetReferencedQueues to return useful keys in the hash
      Only return queues which were referenced explicitly and positively
      Rename cfqueues parameter to imply its more general utility
      QueryBuilder: Limit possible owners based on selected queues
      QueryBuilder: Limit possible statuses based on selected queues
      Ensure that publicly cachable content does not contain Set-Cookie headers
      Prevent actual error messages from propagating to the user
      /Articles/Topics.html uses id= for topic ids, not article ids
      Rework topic display to not make use of $m->print everywhere
      Force numerical ID sorting in local tickets
      Minor typo fix
      Merge branch '4.0/remove-mailgate-html-error-deps' into 4.0-trunk
      Merge branch '4.0/update-ticket-links-in-rest' into 4.0-trunk
      Merge branch '4.0/ticket-forward-clobbers-subject' into 4.0-trunk
      Remove dead code
      Apply the code changes from this branch to the mobile version as well
      Merge branch '4.0/selfservice-menu-adjustments' into 4.0-trunk
      Merge branch '4.0/return-forcing-status-on-update' into 4.0-trunk
      Merge branch '4.0/hide-new-ticket-selfservice' into 4.0-trunk
      Merge branch '4.0/collect-warnings-in-end-block-not-GD' into 4.0-trunk
      The incorrect additional / caused URI->rel to generate "///Articles/...."
      Make Lifecycle ColumnMap display correctly in Queue admin lists
      Add the lifecycle to the default queue display
      Strip incorrect / -- WebURL is guaranteed to end with one already
      Remove references to database versions which are below our minimums
      Document that Oracle defaults to on-disk storage.
      13c9428 half-added caching which couldn't work to %Queues; remove it
      Note in UPGRADING the components touched as part of this branch
      Hash defaults should always be lists, not single elements
      Secure the bestpractical.com news portal request using HTTPS
      Fix quoting of CF names which contained odder characters
      Alter test comment to reflect the corrected code and test
      Prevent "Useless use of string in void context" by grouping ok() parameters
      Merge branch '4.0/rfc2231-param-continuations' into 4.0-trunk
      Redirect should always take a full WebURL, not a WebPath
      Provide more context to the AfterBasics callback
      Catch warnings to STDERR when loading rt-server, for installer tests
      Merge branch '4.0/warn-about-mod_fcgid' into 4.0-trunk
      Merge branch '4.0/tickets-entryaggregator-none' into 4.0-trunk
      Merge branch '4.0/squishing-doc-pointers' into 4.0-trunk
      Test specifically for the article's link
      Merge branch '4.0/rest-remove-link-validation' into 4.0-trunk
      Merge branch '4.0/rest-load-ticket-cf-with-queue-limit' into 4.0-trunk
      Merge branch '4.0/report-tickets-with-transactions-join' into 4.0-trunk
      Merge branch '4.0/reminder-status-config' into 4.0-trunk
      Move menu initialization earlier in HandleRequest
      Remove extra SendSessionCookie() calls
      Add basic HTTP_REFERER checking to prevent cross-site request forgery
      Add a whitelist of idempotent request arguments
      Whitelist some component (not request!) paths
      Redirect to an interstitial page on CSRF attacks, rather than denying
      Allow file uploads to persist across CSRF interstitial
      Add optional CSRF login protection
      Allow REST requests to function regardless of Referer header
      Prevent storing the old or new hashed password in the transaction table
      Clean out sensitive user transactions
      Add a consistent CurrentUserCanSee right
      Enable ACL checks for non-Ticket transactions
      Remove unused $args and @arglist variables
      Explicitly ACL ObjectCustomFieldValue content, based on the custon field object
      There is no reason for ->NewValue and ->OldValue to skip ACLs via __Value
      Ignore the local directory which contains additional, temporarily non-public tests
      Ensure that the new /l_unsafe is protected from direct access as well
      Add a note about the timeline on public announcements, tests, etc
      Avoid shell interpolation when calling sendmailpipe
      Always pass in status list to selfservice search
      Update test to catch the new warning
      Ensure that all joins through CachedGroupMembers limits to non-disabled rows
      Load and Validate Custom Field Context Objects
      When loading custom fields by queue, default the context object accordingly
      Set context objects on CFs explicitly whenever possible
      Reuse the same custom field object for checking for DateTime type
      Merge branch 'security/4.0/vulnerable-passwords' into security/4.0-trunk
      Merge branch 'security/4.0/escape-flags' into security/4.0-trunk
      Merge branch 'security/4.0/mobile-xss' into security/4.0-trunk
      Merge branch 'security/4.0/slash-l-xss' into security/4.0-trunk
      Consistently escape all possibly suspect characters in JS strings
      Merge branch 'security/4.0/xss' into security/4.0-trunk
      Merge branch 'security/4.0/clickable-xss-links' into security/4.0-trunk
      Merge branch 'security/4.0/mason-runtime-errors' into security/4.0-trunk
      Merge branch 'security/4.0/scrub-class-id' into security/4.0-trunk
      Merge branch 'security/4.0/articles-escaping' into security/4.0-trunk
      Merge branch 'security/4.0/stricter-scrips-templates-acls' into security/4.0-trunk
      Merge branch 'security/4.0/selfservice' into security/4.0-trunk
      Merge branch 'security/4.0/shredder-dumps' into security/4.0-trunk
      Merge branch 'security/4.0/attachments' into security/4.0-trunk
      Merge branch 'security/4.0/cached-set-cookie' into security/4.0-trunk
      Merge branch 'security/4.0/transaction-leak' into security/4.0-trunk
      Merge branch 'security/4.0/csrf-referer' into security/4.0-trunk
      Merge branch 'security/4.0/arbitrary-methods' into security/4.0-trunk
      Merge branch 'security/4.0/disallow-execute-code' into security/4.0-trunk
      Merge branch 'security/4.0/verp-code-execution' into security/4.0-trunk
      Merge branch 'security/4.0/private-components' into security/4.0-trunk
      Merge branch 'security/4.0/installmode' into security/4.0-trunk
      Merge branch 'security/4.0/paging-injection' into security/4.0-trunk
      Merge branch 'security/4.0/graphviz-escaping' into security/4.0-trunk
      Merge branch 'security/4.0/custom-field-values' into security/4.0-trunk
      Merge branch 'security/4.0/disabled-group-members' into security/4.0-trunk
      Merge branch 'security/4.0/secure-portal-iframe' into security/4.0-trunk
      Merge branch 'security/4.0/infrastructure' into security/4.0-trunk
      Update test to account for new parameters
      Make test-parallel's call to `perl -MApp::Prove` propagate back a useful error code
      Remove an incorrect Disabled limit
      Use l_unsafe, as $path_tag contains an unescaped <span>
      Safety-checking on classes loaded with `eval "require $class"`
      Merge branch '4.0/dashboard-chart-with-utf8' into 4.0-trunk
      Merge branch '4.0/escape-username-in-login-tests' into 4.0-trunk
      Merge branch '4.0/html-language-attributes' into 4.0-trunk
      Merge branch '4.0/load-rt-links' into 4.0-trunk
      Merge branch 'security/4.0-trunk' into 4.0-trunk

Jason May (8):
      Do not copy reminder pointers when creating a linked ticket
      Be more defensive when checking for ticket reminders
      Preserve non-ticket links across cloning for RefersTo both ways
      Test to ensure article links get preserved on a ticket clone
      Respect Subject: lines in Forward Ticket templates
      Use the correct value when checking for new changes for links in REST
      Make 'New Ticket' a top-level SelfService menu item
      When searching, skip empty OrderBy fields

Kevin Falcone (25):
      Switch Users over to the NamePrefix used by every other CF
      Encourage users to look in the logs when an error happens.
      Merge branch '4.0/web-installer-tests' into 4.0-trunk
      Merge branch '4.0/avoid-absolute-links' into 4.0-trunk
      Merge branch '4.0/remove-unsupported-version-references' into 4.0-trunk
      Remove a non-failing test
      Merge branch '4.0/skip-empty-orderby-items' into 4.0-trunk
      Merge branch '4.0/lifecycles-on-queue-admin' into 4.0-trunk
      Merge branch '4.0.5-releng' into 4.0-trunk
      Merge branch '4.0/pass-collections-to-display-callbacks' into 4.0-trunk
      Merge branch '4.0/querybuilder-queue-limits' into 4.0-trunk
      Merge branch '4.0/mysql-attribute-content-datatype' into 4.0-trunk
      Merge branch '4.0/querybuilder-queue-limits' into 4.0-trunk
      Fix a typo
      Add a pointer to the developer methods.
      Warn about the FcgidMaxRequestLen change in mod_fcgid 2.3.6
      We did not find and upgrade passwords for disabled users.
      Merge branch '4.0/argsref-on-ticket-create-callback' into 4.0-trunk
      Terminate the request if there isn't a CustomField or Context Argument
      Merge branch '4.0/remove-css3pie' into 4.0-trunk
      Tell users and admins what Referrer we wanted
      Merge branch '4.0/querybuilder-cf-name-quoting' into 4.0-trunk
      Merge branch '4.0/parallel-test-exit-code' into 4.0-trunk
      Merge branch '4.0/web-installer-warnings' into 4.0-trunk
      Merge branch '4.0/redirect-web-url' into 4.0-trunk

Ruslan Zakirov (4):
      show current status in the status dropdown on Update
      we now display current value, fix tests
      call ::Test::Web->no_warnings_ok before GD
      failing test for fix in 4.0/skip-empty-orderby-items branch

Shawn M Moore (5):
      Escape subject and links in /m/ticket/create
      Escape the name of the predefined search that was not found
      Escape save search names when we report errors about loading them
      Explicitly pass the type of escaping we want to apply_escapes
      Use loc for interpolation

Thomas Sibley (60):
      Iterate attachments as the creator of the current transaction when sending mail
      Ensure the empty CFVs collection never returns results after a failed rights check
      Push id = 0 limits into an ACL subclause
      Only run known formatters in RT::Date
      Don't execute non-Perl templates in RT::Action::CreateTickets
      Test decoding of MIME parameter value continuations
      Test RFC 2231 parameter continuations with encoding in an attachment filename
      Test that specials in MIME encoded words are treated as quoted
      Remove unnecessary decoding since SetMIMEHeadToEncoding already handles it
      DecodeMIMEWordsToEncoding takes a header value, not the full header
      Cleanup a bogus duplicate parameter in tests
      Replace our broken custom RFC 2231 support with MIME::Field::ParamVal
      Note that we cannot do the refactor yet
      Prevent user-controlled partial component paths from walking up directories
      Make CheckIntegrity idempotent on a running install
      Refuse to turn on InstallMode when we have database integrity
      Installer: respect the RT_SITE_CONFIG environment variable
      Provide a plack and inline test server variant that loads sbin/rt-server
      Don't reconnect to the database under a plack server if the test asks for nodb
      Provide a way to avoid dieing if you specify nodb and start a server
      Ensure testfiles that ask for no database don't inherit a previous database
      Tests for the web installer
      More thoroughly ignore DROP DATABASE errors when testing
      Escape backslashes in text used for GraphViz input
      Inherit from the normal autohandler chain when serving Shredder backups
      Refactor HTML scrubbing to make it easier to customize what is allowed
      Add a way to specify tag-specific attribute rules for scrubbing
      Scrub class and id attributes from HTML instead of passing them through
      Test that RT::Users->WhoHaveRight doesn't pick up disabled groups
      Don't disconnect from the database after RT::Handle->InsertData in the web installer
      Don't show a new ticket link if the user can't see any queues
      Remove HTML::TreeBuilder and HTML::FormatText from rt-mailgate's deps
      Merge branch '4.0/user-cf-autocomplete-on-create' into 4.0-trunk
      Merge branch '4.0/link-sort-order' into 4.0-trunk
      Merge branch '4.0/skip-reminders-on-ticket-clone' into 4.0-trunk
      Add a comment explaining the addition of a z-index workaround
      Merge branch '4.0/ie8-pie-css-fix' into 4.0-trunk
      Merge branch '4.0/remove-dead-code' into 4.0-trunk
      Let a few display callbacks access the found transactions and attachments
      Remove 64kb length limit on Attributes.Content under MySQL
      Document that 4.0.6 will require an ALTER TABLE
      Typo fix in the just added UPGRADING doc
      HTML escape the username when testing for successful log in
      Load RT::Links on start
      Merge branch '4.0/cli-show-ticket-attachment-uninitialized-warning-fix' into 4.0-trunk
      Make ENTRYAGGREGATOR => 'none' work for RT::Tickets
      Forbid javascript: and data: ticket links to avoid clickable XSS vectors
      Escape all arguments passed to /l
      Check ACLs on the receiving end when modifying a scrip's Queue or Template
      Check ACLs on the receiving end when modifying a Template's Queue
      RowsPerPage and FirstRow only accept natural numbers and undef
      Require valid names for the format methods called by LocalizedDateTime
      Validate the requested link types when graphing relationships
      Explicitly override any Graph parameter passed into RT::Graph::Tickets
      Permit <bdo> tags and the lang and dir attributes when displaying HTML
      Prevent linking directly to CF values when the value is a data: URI
      Escape width and wrap parameters when rendering a message box
      Escape NamePrefix to avoid XSS if it's passed into EditCustomField
      Close an XSS vector via BaseURL in collection lists
      Update scrubber tests to expect lang attributes

ashley willis (1):
      corrected "to be passing always be passing" --> "to always be passing" in docs/hacking.pod.

dhutty (1):
      Typo

sunnavy (20):
      fix the z-index issue of PIE
      switch to relative links instead if it's local
      replace WebURL with WebPath to make links relative
      it's more clear to use URI->rel
      tests for queue limits in query builder
      more queue limit tests with "!=" or "OR" in sql
      owner tests for queue limits in query builder
      remove css3pie stuff as it brings more harm than good.
      limit queue when loading ticket cf in REST.
      $data{Queue} maybe already moved to $v{Queue}
      test cfs with same name in rest
      forgot to delete devel/third-party/PIE_uncompressed.htc
      fix an uninitialized warning when running "show ticket/ID/attachments/ID"
      remove link validation in rest
      cli link to articles test
      URI before 1.59 has a bug when initialized with decoded utf8 string.
      test dashboard chart in email with utf8 query
      make reminders open/resolve status configurable
      use RT::Ticket as ObjectType when joining Transactions in RT::Report::Tickets
      test RT::Report::Tickets with transactions join

-----------------------------------------------------------------------


More information about the Rt-commit mailing list