[Rt-commit] rt annotated tag, rt-4.0.6rc1, created. rt-4.0.6rc1
Alex Vandiver
alexmv at bestpractical.com
Tue May 22 12:16:15 EDT 2012
The annotated tag, rt-4.0.6rc1 has been created
at 42e4237083acb677a58d6b7b46eb93ea5ccfe589 (tag)
tagging fa9c4b4b218ea231c048312a3ca0be76b3231a1e (commit)
replaces rt-4.0.5
tagged by Alex Vandiver
on Wed Apr 25 20:06:49 2012 -0400
- Log -----------------------------------------------------------------
release 4.0.6rc1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEABECAAYFAk+7acMACgkQMflWJZZAbqCLkQCdGvDzeSUUif31xk7wzGrc6ZAc
PzcAnRDF63OMECikYwSBAp+Hfz9lAhoU
=3otp
-----END PGP SIGNATURE-----
Alex Vandiver (114):
Remove unused GenericQueryArgs parameter
Similarly, there is no reason to configure AllowSorting
Disallow setting arbitrary titles
Disallow setting of roles via query params
Fix quoting in GetReferencedQueues to return useful keys in the hash
Only return queues which were referenced explicitly and positively
Rename cfqueues parameter to imply its more general utility
QueryBuilder: Limit possible owners based on selected queues
QueryBuilder: Limit possible statuses based on selected queues
Ensure that publicly cachable content does not contain Set-Cookie headers
Prevent actual error messages from propagating to the user
/Articles/Topics.html uses id= for topic ids, not article ids
Rework topic display to not make use of $m->print everywhere
Force numerical ID sorting in local tickets
Minor typo fix
Merge branch '4.0/remove-mailgate-html-error-deps' into 4.0-trunk
Merge branch '4.0/update-ticket-links-in-rest' into 4.0-trunk
Merge branch '4.0/ticket-forward-clobbers-subject' into 4.0-trunk
Remove dead code
Apply the code changes from this branch to the mobile version as well
Merge branch '4.0/selfservice-menu-adjustments' into 4.0-trunk
Merge branch '4.0/return-forcing-status-on-update' into 4.0-trunk
Merge branch '4.0/hide-new-ticket-selfservice' into 4.0-trunk
Merge branch '4.0/collect-warnings-in-end-block-not-GD' into 4.0-trunk
The incorrect additional / caused URI->rel to generate "///Articles/...."
Make Lifecycle ColumnMap display correctly in Queue admin lists
Add the lifecycle to the default queue display
Strip incorrect / -- WebURL is guaranteed to end with one already
Remove references to database versions which are below our minimums
Document that Oracle defaults to on-disk storage.
13c9428 half-added caching which couldn't work to %Queues; remove it
Note in UPGRADING the components touched as part of this branch
Hash defaults should always be lists, not single elements
Secure the bestpractical.com news portal request using HTTPS
Fix quoting of CF names which contained odder characters
Alter test comment to reflect the corrected code and test
Prevent "Useless use of string in void context" by grouping ok() parameters
Merge branch '4.0/rfc2231-param-continuations' into 4.0-trunk
Redirect should always take a full WebURL, not a WebPath
Provide more context to the AfterBasics callback
Catch warnings to STDERR when loading rt-server, for installer tests
Merge branch '4.0/warn-about-mod_fcgid' into 4.0-trunk
Merge branch '4.0/tickets-entryaggregator-none' into 4.0-trunk
Merge branch '4.0/squishing-doc-pointers' into 4.0-trunk
Test specifically for the article's link
Merge branch '4.0/rest-remove-link-validation' into 4.0-trunk
Merge branch '4.0/rest-load-ticket-cf-with-queue-limit' into 4.0-trunk
Merge branch '4.0/report-tickets-with-transactions-join' into 4.0-trunk
Merge branch '4.0/reminder-status-config' into 4.0-trunk
Move menu initialization earlier in HandleRequest
Remove extra SendSessionCookie() calls
Add basic HTTP_REFERER checking to prevent cross-site request forgery
Add a whitelist of idempotent request arguments
Whitelist some component (not request!) paths
Redirect to an interstitial page on CSRF attacks, rather than denying
Allow file uploads to persist across CSRF interstitial
Add optional CSRF login protection
Allow REST requests to function regardless of Referer header
Prevent storing the old or new hashed password in the transaction table
Clean out sensitive user transactions
Add a consistent CurrentUserCanSee right
Enable ACL checks for non-Ticket transactions
Remove unused $args and @arglist variables
Explicitly ACL ObjectCustomFieldValue content, based on the custon field object
There is no reason for ->NewValue and ->OldValue to skip ACLs via __Value
Ignore the local directory which contains additional, temporarily non-public tests
Ensure that the new /l_unsafe is protected from direct access as well
Add a note about the timeline on public announcements, tests, etc
Avoid shell interpolation when calling sendmailpipe
Always pass in status list to selfservice search
Update test to catch the new warning
Ensure that all joins through CachedGroupMembers limits to non-disabled rows
Load and Validate Custom Field Context Objects
When loading custom fields by queue, default the context object accordingly
Set context objects on CFs explicitly whenever possible
Reuse the same custom field object for checking for DateTime type
Merge branch 'security/4.0/vulnerable-passwords' into security/4.0-trunk
Merge branch 'security/4.0/escape-flags' into security/4.0-trunk
Merge branch 'security/4.0/mobile-xss' into security/4.0-trunk
Merge branch 'security/4.0/slash-l-xss' into security/4.0-trunk
Consistently escape all possibly suspect characters in JS strings
Merge branch 'security/4.0/xss' into security/4.0-trunk
Merge branch 'security/4.0/clickable-xss-links' into security/4.0-trunk
Merge branch 'security/4.0/mason-runtime-errors' into security/4.0-trunk
Merge branch 'security/4.0/scrub-class-id' into security/4.0-trunk
Merge branch 'security/4.0/articles-escaping' into security/4.0-trunk
Merge branch 'security/4.0/stricter-scrips-templates-acls' into security/4.0-trunk
Merge branch 'security/4.0/selfservice' into security/4.0-trunk
Merge branch 'security/4.0/shredder-dumps' into security/4.0-trunk
Merge branch 'security/4.0/attachments' into security/4.0-trunk
Merge branch 'security/4.0/cached-set-cookie' into security/4.0-trunk
Merge branch 'security/4.0/transaction-leak' into security/4.0-trunk
Merge branch 'security/4.0/csrf-referer' into security/4.0-trunk
Merge branch 'security/4.0/arbitrary-methods' into security/4.0-trunk
Merge branch 'security/4.0/disallow-execute-code' into security/4.0-trunk
Merge branch 'security/4.0/verp-code-execution' into security/4.0-trunk
Merge branch 'security/4.0/private-components' into security/4.0-trunk
Merge branch 'security/4.0/installmode' into security/4.0-trunk
Merge branch 'security/4.0/paging-injection' into security/4.0-trunk
Merge branch 'security/4.0/graphviz-escaping' into security/4.0-trunk
Merge branch 'security/4.0/custom-field-values' into security/4.0-trunk
Merge branch 'security/4.0/disabled-group-members' into security/4.0-trunk
Merge branch 'security/4.0/secure-portal-iframe' into security/4.0-trunk
Merge branch 'security/4.0/infrastructure' into security/4.0-trunk
Update test to account for new parameters
Make test-parallel's call to `perl -MApp::Prove` propagate back a useful error code
Remove an incorrect Disabled limit
Use l_unsafe, as $path_tag contains an unescaped <span>
Safety-checking on classes loaded with `eval "require $class"`
Merge branch '4.0/dashboard-chart-with-utf8' into 4.0-trunk
Merge branch '4.0/escape-username-in-login-tests' into 4.0-trunk
Merge branch '4.0/html-language-attributes' into 4.0-trunk
Merge branch '4.0/load-rt-links' into 4.0-trunk
Merge branch 'security/4.0-trunk' into 4.0-trunk
Jason May (8):
Do not copy reminder pointers when creating a linked ticket
Be more defensive when checking for ticket reminders
Preserve non-ticket links across cloning for RefersTo both ways
Test to ensure article links get preserved on a ticket clone
Respect Subject: lines in Forward Ticket templates
Use the correct value when checking for new changes for links in REST
Make 'New Ticket' a top-level SelfService menu item
When searching, skip empty OrderBy fields
Kevin Falcone (25):
Switch Users over to the NamePrefix used by every other CF
Encourage users to look in the logs when an error happens.
Merge branch '4.0/web-installer-tests' into 4.0-trunk
Merge branch '4.0/avoid-absolute-links' into 4.0-trunk
Merge branch '4.0/remove-unsupported-version-references' into 4.0-trunk
Remove a non-failing test
Merge branch '4.0/skip-empty-orderby-items' into 4.0-trunk
Merge branch '4.0/lifecycles-on-queue-admin' into 4.0-trunk
Merge branch '4.0.5-releng' into 4.0-trunk
Merge branch '4.0/pass-collections-to-display-callbacks' into 4.0-trunk
Merge branch '4.0/querybuilder-queue-limits' into 4.0-trunk
Merge branch '4.0/mysql-attribute-content-datatype' into 4.0-trunk
Merge branch '4.0/querybuilder-queue-limits' into 4.0-trunk
Fix a typo
Add a pointer to the developer methods.
Warn about the FcgidMaxRequestLen change in mod_fcgid 2.3.6
We did not find and upgrade passwords for disabled users.
Merge branch '4.0/argsref-on-ticket-create-callback' into 4.0-trunk
Terminate the request if there isn't a CustomField or Context Argument
Merge branch '4.0/remove-css3pie' into 4.0-trunk
Tell users and admins what Referrer we wanted
Merge branch '4.0/querybuilder-cf-name-quoting' into 4.0-trunk
Merge branch '4.0/parallel-test-exit-code' into 4.0-trunk
Merge branch '4.0/web-installer-warnings' into 4.0-trunk
Merge branch '4.0/redirect-web-url' into 4.0-trunk
Ruslan Zakirov (4):
show current status in the status dropdown on Update
we now display current value, fix tests
call ::Test::Web->no_warnings_ok before GD
failing test for fix in 4.0/skip-empty-orderby-items branch
Shawn M Moore (5):
Escape subject and links in /m/ticket/create
Escape the name of the predefined search that was not found
Escape save search names when we report errors about loading them
Explicitly pass the type of escaping we want to apply_escapes
Use loc for interpolation
Thomas Sibley (60):
Iterate attachments as the creator of the current transaction when sending mail
Ensure the empty CFVs collection never returns results after a failed rights check
Push id = 0 limits into an ACL subclause
Only run known formatters in RT::Date
Don't execute non-Perl templates in RT::Action::CreateTickets
Test decoding of MIME parameter value continuations
Test RFC 2231 parameter continuations with encoding in an attachment filename
Test that specials in MIME encoded words are treated as quoted
Remove unnecessary decoding since SetMIMEHeadToEncoding already handles it
DecodeMIMEWordsToEncoding takes a header value, not the full header
Cleanup a bogus duplicate parameter in tests
Replace our broken custom RFC 2231 support with MIME::Field::ParamVal
Note that we cannot do the refactor yet
Prevent user-controlled partial component paths from walking up directories
Make CheckIntegrity idempotent on a running install
Refuse to turn on InstallMode when we have database integrity
Installer: respect the RT_SITE_CONFIG environment variable
Provide a plack and inline test server variant that loads sbin/rt-server
Don't reconnect to the database under a plack server if the test asks for nodb
Provide a way to avoid dieing if you specify nodb and start a server
Ensure testfiles that ask for no database don't inherit a previous database
Tests for the web installer
More thoroughly ignore DROP DATABASE errors when testing
Escape backslashes in text used for GraphViz input
Inherit from the normal autohandler chain when serving Shredder backups
Refactor HTML scrubbing to make it easier to customize what is allowed
Add a way to specify tag-specific attribute rules for scrubbing
Scrub class and id attributes from HTML instead of passing them through
Test that RT::Users->WhoHaveRight doesn't pick up disabled groups
Don't disconnect from the database after RT::Handle->InsertData in the web installer
Don't show a new ticket link if the user can't see any queues
Remove HTML::TreeBuilder and HTML::FormatText from rt-mailgate's deps
Merge branch '4.0/user-cf-autocomplete-on-create' into 4.0-trunk
Merge branch '4.0/link-sort-order' into 4.0-trunk
Merge branch '4.0/skip-reminders-on-ticket-clone' into 4.0-trunk
Add a comment explaining the addition of a z-index workaround
Merge branch '4.0/ie8-pie-css-fix' into 4.0-trunk
Merge branch '4.0/remove-dead-code' into 4.0-trunk
Let a few display callbacks access the found transactions and attachments
Remove 64kb length limit on Attributes.Content under MySQL
Document that 4.0.6 will require an ALTER TABLE
Typo fix in the just added UPGRADING doc
HTML escape the username when testing for successful log in
Load RT::Links on start
Merge branch '4.0/cli-show-ticket-attachment-uninitialized-warning-fix' into 4.0-trunk
Make ENTRYAGGREGATOR => 'none' work for RT::Tickets
Forbid javascript: and data: ticket links to avoid clickable XSS vectors
Escape all arguments passed to /l
Check ACLs on the receiving end when modifying a scrip's Queue or Template
Check ACLs on the receiving end when modifying a Template's Queue
RowsPerPage and FirstRow only accept natural numbers and undef
Require valid names for the format methods called by LocalizedDateTime
Validate the requested link types when graphing relationships
Explicitly override any Graph parameter passed into RT::Graph::Tickets
Permit <bdo> tags and the lang and dir attributes when displaying HTML
Prevent linking directly to CF values when the value is a data: URI
Escape width and wrap parameters when rendering a message box
Escape NamePrefix to avoid XSS if it's passed into EditCustomField
Close an XSS vector via BaseURL in collection lists
Update scrubber tests to expect lang attributes
ashley willis (1):
corrected "to be passing always be passing" --> "to always be passing" in docs/hacking.pod.
dhutty (1):
Typo
sunnavy (20):
fix the z-index issue of PIE
switch to relative links instead if it's local
replace WebURL with WebPath to make links relative
it's more clear to use URI->rel
tests for queue limits in query builder
more queue limit tests with "!=" or "OR" in sql
owner tests for queue limits in query builder
remove css3pie stuff as it brings more harm than good.
limit queue when loading ticket cf in REST.
$data{Queue} maybe already moved to $v{Queue}
test cfs with same name in rest
forgot to delete devel/third-party/PIE_uncompressed.htc
fix an uninitialized warning when running "show ticket/ID/attachments/ID"
remove link validation in rest
cli link to articles test
URI before 1.59 has a bug when initialized with decoded utf8 string.
test dashboard chart in email with utf8 query
make reminders open/resolve status configurable
use RT::Ticket as ObjectType when joining Transactions in RT::Report::Tickets
test RT::Report::Tickets with transactions join
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list