[Rt-commit] rt branch, 4.2/new-default-options, updated. rt-4.0.6-447-gc9b8542

Thomas Sibley trs at bestpractical.com
Sat Sep 29 01:53:17 EDT 2012 

The branch, 4.2/new-default-options has been updated
       via  c9b8542e85df0365b284c94b2616b9362731fe24 (commit)
      from  3c6af070008c4153b47f3a4fd0afd35c00352a65 (commit)

Summary of changes:
 docs/UPGRADING-4.2  | 6 ++++++
 etc/RT_Config.pm.in | 7 +++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

- Log -----------------------------------------------------------------
commit c9b8542e85df0365b284c94b2616b9362731fe24
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri Sep 28 22:20:55 2012 -0700

    Strict validation of user email addresses
    
    Enable $ValidateUserEmailAddresses by default for security and data integrity
    going forward.  This option was introduced early in the 3.8 series and
    remained off for backwards compatibility.  It was overlooked during the
    run-up to 4.0, and thus remained off until now.

diff --git a/docs/UPGRADING-4.2 b/docs/UPGRADING-4.2
index f5d55ce..43317d5 100644
--- a/docs/UPGRADING-4.2
+++ b/docs/UPGRADING-4.2
@@ -7,3 +7,9 @@ UPGRADING FROM RT 4.0.0 and greater
 
 * Rich text (HTML) messages are now preferred for display.  If you prefer plain
   text messages, set $PreferRichText to 0.
+
+* User email addresses are now validated by default and multiple,
+  comma-separated addresses for a single user are no longer allowed.  Existing
+  users with invalid addresses will continue to work until the next time they
+  are updated by an administrator on the modify user page.  If you prefer no
+  address validation, set $ValidateUserEmailAddresses to 0.
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index adc57e0..f394060 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -415,13 +415,16 @@ Set($CanonicalizeOnCreate, 0);
 
 =item C<$ValidateUserEmailAddresses>
 
-If C<$ValidateUserEmailAddresses> is 1, RT will refuse to create
+By default C<$ValidateUserEmailAddresses> is 1, and RT will refuse to create
 users with an invalid email address (as specified in RFC 2822) or with
 an email address made of multiple email addresses.
 
+Set this to 0 to skip any email address validation.  Doing so may open up
+vulnerabilities.
+
 =cut
 
-Set($ValidateUserEmailAddresses, undef);
+Set($ValidateUserEmailAddresses, 1);
 
 =item C<@MailPlugins>
 

-----------------------------------------------------------------------

More information about the Rt-commit mailing list