[Rt-commit] rt annotated tag, rt-4.0.13, created. rt-4.0.13

Thomas Sibley trs at bestpractical.com
Wed May 22 14:37:27 EDT 2013


The annotated tag, rt-4.0.13 has been created
        at  6812b122cee71938e28d89a29928eac3472f147b (tag)
   tagging  90b6e7cb80c686b6bf41067029e75914748a4525 (commit)
  replaces  rt-4.0.12
 tagged by  Thomas Sibley
        on  Tue May 21 15:29:13 2013 -0700

- Log -----------------------------------------------------------------
release 4.0.13
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQBRm/U5Hdv9ZfNcOAcRAgw3AJ9JAd5tVl4Kc0uhz6gdMoM1gn5f8QCghkk6
5xFWNrngSuHMmFGytRJxkWk=
=oi5X
-----END PGP SIGNATURE-----

Alex Vandiver (14):
      Ensure that filenames in inline image attributes are HTML-escaped
      Deny direct access to callbacks
      Protect calls to $m->comp with user input in ColumnMap
      Remove filename= suggesions from Content-Disposition lines
      Ensure consistent escaping of filenames in attachment URIs
      Ensure that URLs placed in HTML attributes are escaped correctly, to prevent XSS injection
      Ensure that the default replacement does not pass through unescaped content
      Use File::Temp for non-predictable temporary filenames
      Canonicalize on lower-case for statuses, which are now case-insensitive
      Merge two loops over %LIFECYCLES_CACHE into one
      Force statuses to lower-case in lifecycles, to match ticket statuses
      Preserve original case of defined statuses
      Provide warnings of lifecycle misconfigurations
      Ensure that subjects cannot contain embedded newlines

Thomas Sibley (12):
      Instantiate new sessions on logout as well as deleting the old one
      Instantiate a new session if the session doesn't match the ID we loaded it by
      Merge remote-tracking branch 'private/security/4.0/rt-predictable-tmpfile' into security/4.0.13-releng
      Merge remote-tracking branch 'private/security/4.0/protect-columnmap-comp' into security/4.0.13-releng
      Merge remote-tracking branch 'private/security/4.0/escape-attachment-filename' into security/4.0.13-releng
      Merge remote-tracking branch 'private/security/4.0/deny-direct-callback-access' into security/4.0.13-releng
      Merge remote-tracking branch 'private/security/4.0/attachment-filename-escaping' into security/4.0.13-releng
      Merge remote-tracking branch 'private/security/4.0/subject-newlines' into security/4.0.13-releng
      Merge remote-tracking branch 'private/security/4.0/instantiate-new-session-on-logout' into security/4.0.13-releng
      Merge remote-tracking branch 'private/security/4.0/escape-makeclicky' into security/4.0.13-releng
      Merge remote-tracking branch 'private/security/4.0/status-casing' into security/4.0.13-releng
      Correct a typo in a lifecycle lint warning message

-----------------------------------------------------------------------


More information about the Rt-commit mailing list