[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.16-19-g91d83d3

Thomas Sibley trs at bestpractical.com
Wed May 22 15:45:53 EDT 2013


The branch, 3.8-trunk has been updated
       via  91d83d3713e4903c470f585542ed259b9d9bb928 (commit)
       via  201cc3405e2c133c09a26ec8e1f9a6ef74fe866c (commit)
       via  c1b9a4a0cfbb6db78ed8b6f255dc41bd226995b7 (commit)
       via  31440edc5b59dfee96e903ce9400ee354299894d (commit)
       via  82c59453776390a1e70162a0b31386af27fdeea7 (commit)
       via  0c37bfdf2146d07253564bfad3b9238478a97783 (commit)
       via  7b6583c6546f297c5d34127f5cde7eb9cbb8eff0 (commit)
       via  23a1e4d4481f0a742a7774e811c28a21879aa45f (commit)
       via  b7d7ba365f99a72528ac763dddb96a142131c4b7 (commit)
       via  f1e5e67a7299c850584c814ebef9807aeeec932e (commit)
       via  3a23d71a9e5a9da856d463c19997bc37f18dc4bc (commit)
       via  e393f3cc94ca5b0346fc0243d848666bc9af2751 (commit)
       via  4a1b62b3300832deb18a415c4aff941c1e16a037 (commit)
       via  2aa59699290cd2329b264527679b7dd7b681d58e (commit)
       via  e0b31eae8789d280948293aa4057d200402b4325 (commit)
       via  3a452018a8bd4693a8a65df4507ad31257716e28 (commit)
       via  d3b1c44629a7a0cf04d0b7e5135cbb748fa6899e (commit)
       via  0af8930f21828c59f1c15007d0a2fd2ff564b08f (commit)
      from  8072ea3dc7ebd66426b88694f14b5bcdf2a3ace1 (commit)

Summary of changes:
 bin/rt.in                                             | 16 ++++++++++------
 etc/upgrade/3.8.17/schema.Oracle                      |  1 +
 etc/upgrade/3.8.17/schema.Pg                          |  1 +
 etc/upgrade/3.8.17/schema.mysql                       |  1 +
 lib/RT/Interface/Web.pm                               |  7 ++++---
 lib/RT/Ticket_Overlay.pm                              |  9 +++++++++
 .../Tools/Shredder/Elements/Object/RT--Attachment     |  2 +-
 share/html/Download/CustomFieldValue/dhandler         |  2 +-
 share/html/Download/Tabular/dhandler                  |  2 +-
 share/html/Elements/ColumnMap                         |  6 ++++--
 share/html/Elements/EditCustomFieldBinary             |  2 +-
 share/html/Elements/MakeClicky                        | 19 ++++++++++---------
 share/html/Elements/ShowCustomFieldBinary             |  2 +-
 share/html/Elements/ShowCustomFieldImage              |  2 +-
 share/html/Ticket/Attachment/dhandler                 |  2 +-
 share/html/Ticket/Elements/ShowAttachments            |  2 +-
 share/html/Ticket/Elements/ShowTransactionAttachments |  5 +++--
 17 files changed, 51 insertions(+), 30 deletions(-)
 create mode 100644 etc/upgrade/3.8.17/schema.Oracle
 create mode 100644 etc/upgrade/3.8.17/schema.Pg
 create mode 100644 etc/upgrade/3.8.17/schema.mysql

- Log -----------------------------------------------------------------
commit 0af8930f21828c59f1c15007d0a2fd2ff564b08f
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Wed Apr 17 20:25:22 2013 -0400

    Ensure that filenames in inline image attributes are HTML-escaped

diff --git a/share/html/Ticket/Elements/ShowTransactionAttachments b/share/html/Ticket/Elements/ShowTransactionAttachments
index d33ed7f..d47b54f 100644
--- a/share/html/Ticket/Elements/ShowTransactionAttachments
+++ b/share/html/Ticket/Elements/ShowTransactionAttachments
@@ -231,12 +231,13 @@ my $render_attachment = sub {
         }
 
         my $filename =  $message->Filename || loc('(untitled)');
+        my $efilename = $m->interp->apply_escapes( $filename, 'h' );
         $m->out('<img'
               . ' alt="'
-              . $filename
+              . $efilename
               . '"' 
               . ' title="'
-              . $filename
+              . $efilename
               . '"' 
               . ' src="'
               . $AttachPath . '/'

commit d3b1c44629a7a0cf04d0b7e5135cbb748fa6899e
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Thu Apr 18 16:20:43 2013 -0400

    Deny direct access to callbacks
    
    Callbacks are meant to be called from the context of an core Mason
    component, and do not expect to receive arbitrary input from query
    parameters.  As such, deny access to them from the top-level request.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 3095943..27f150a 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -497,6 +497,7 @@ sub MaybeRejectPrivateComponentRequest {
             / # leading slash
             ( Elements    |
               _elements   | # mobile UI
+              Callbacks   |
               Widgets     |
               autohandler | # requesting this directly is suspicious
               l (_unsafe)? ) # loc component

commit 3a452018a8bd4693a8a65df4507ad31257716e28
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Thu Apr 18 19:30:25 2013 -0400

    Protect calls to $m->comp with user input in ColumnMap
    
    $Class may leak in from the user, which would allow calling arbitrary
    components.  Protect it by using ComponentPathIsSafe, extended to ensure
    that the path cannot be truncated early by way of embedded nulls.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 3095943..1c2c3e2 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -831,15 +831,15 @@ sub StaticFileHeaders {
 Takes C<PATH> and returns a boolean indicating that the user-specified partial
 component path is safe.
 
-Currently "safe" means that the path does not start with a dot (C<.>) and does
-not contain a slash-dot C</.>.
+Currently "safe" means that the path does not start with a dot (C<.>), does
+not contain a slash-dot C</.>, and does not contain any nulls.
 
 =cut
 
 sub ComponentPathIsSafe {
     my $self = shift;
     my $path = shift;
-    return $path !~ m{(?:^|/)\.};
+    return $path !~ m{(?:^|/)\.} and $path !~ m{\0};
 }
 
 =head2 PathIsSafe
diff --git a/share/html/Elements/ColumnMap b/share/html/Elements/ColumnMap
index f87f5ef..d320ba0 100644
--- a/share/html/Elements/ColumnMap
+++ b/share/html/Elements/ColumnMap
@@ -170,8 +170,10 @@ $m->callback( COLUMN_MAP => $COLUMN_MAP, CallbackName => 'Once', CallbackOnce =>
 $m->callback( COLUMN_MAP => $COLUMN_MAP );
 
 # first deal with class specific things
-my $class_map = $m->comp("/Elements/$Class/ColumnMap", Attr => $Attr, Name => $Name );
-return $class_map if defined $class_map;
+if (RT::Interface::Web->ComponentPathIsSafe($Class) and $m->comp_exists("/Elements/$Class/ColumnMap")) {
+    my $class_map = $m->comp("/Elements/$Class/ColumnMap", Attr => $Attr, Name => $Name );
+    return $class_map if defined $class_map;
+}
 return GetColumnMapEntry( Map => $COLUMN_MAP, Name => $Name, Attribute => $Attr );
 
 </%INIT>

commit e0b31eae8789d280948293aa4057d200402b4325
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Fri Apr 19 23:45:17 2013 -0400

    Ensure that subjects cannot contain embedded newlines
    
    The default templates embed the ticket's subject in the outgoing Subject
    header -- but have no way to ensure that the subject does not contain
    newlines, which could be used to insert additional headers.
    Programmatically restricting templates from inserting newlines in the
    header section is both difficult and overly limiting, as there are valid
    reasons to do so.
    
    Strip all newlines from Subject headers.  While this does resolves the
    issue for all core RT templates, solving it more generally is
    unfortunately not feasable.

diff --git a/etc/upgrade/3.8.17/schema.Oracle b/etc/upgrade/3.8.17/schema.Oracle
new file mode 100644
index 0000000..fad9db0
--- /dev/null
+++ b/etc/upgrade/3.8.17/schema.Oracle
@@ -0,0 +1 @@
+UPDATE Tickets SET Subject = REPLACE(Subject,CHR(10),'');
diff --git a/etc/upgrade/3.8.17/schema.Pg b/etc/upgrade/3.8.17/schema.Pg
new file mode 100644
index 0000000..d748315
--- /dev/null
+++ b/etc/upgrade/3.8.17/schema.Pg
@@ -0,0 +1 @@
+UPDATE Tickets SET Subject = REPLACE(Subject,E'\n','');
diff --git a/etc/upgrade/3.8.17/schema.mysql b/etc/upgrade/3.8.17/schema.mysql
new file mode 100644
index 0000000..f6d59e1
--- /dev/null
+++ b/etc/upgrade/3.8.17/schema.mysql
@@ -0,0 +1 @@
+UPDATE Tickets SET Subject = REPLACE(Subject,'\n','');
diff --git a/lib/RT/Ticket_Overlay.pm b/lib/RT/Ticket_Overlay.pm
index eb482b8..5d51b03 100755
--- a/lib/RT/Ticket_Overlay.pm
+++ b/lib/RT/Ticket_Overlay.pm
@@ -450,6 +450,8 @@ sub Create {
         }
     }
 
+    $args{'Subject'} =~ s/\n//g;
+
     $RT::Handle->BeginTransaction();
 
     my %params = (
@@ -1772,6 +1774,13 @@ sub QueueObj {
     return ($queue_obj);
 }
 
+sub SetSubject {
+    my $self = shift;
+    my $value = shift;
+    $value =~ s/\n//g;
+    return $self->_Set( Field => 'Subject', Value => $value );
+}
+
 # }}}
 
 # }}}

commit 2aa59699290cd2329b264527679b7dd7b681d58e
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Fri Apr 19 16:08:36 2013 -0400

    Remove filename= suggesions from Content-Disposition lines
    
    No supported standard exists for escaping of the "filename" attribute of
    Content-Disposition.  This opens the possibility of various injection
    attacks through carefully-crafted filenames if AlwaysDownloadAttachments
    is enabled.
    
    As the download endpoint is a dhandler, and most locations already
    supply the filename after the final /, browsers will assume the correct
    filename even if none is supplied to Content-Disposition.  Hence, remove
    the filename= parameter entirely.

diff --git a/share/html/Download/CustomFieldValue/dhandler b/share/html/Download/CustomFieldValue/dhandler
index ced11fb..a919049 100644
--- a/share/html/Download/CustomFieldValue/dhandler
+++ b/share/html/Download/CustomFieldValue/dhandler
@@ -64,7 +64,7 @@ unless ($OCFV->id) {
 my $content_type = $OCFV->ContentType || 'text/plain';
     
 if (RT->Config->Get('AlwaysDownloadAttachments')) {
-    $r->headers_out->{'Content-Disposition'} = "attachment; filename=" . $OCFV->Content;
+    $r->headers_out->{'Content-Disposition'} = "attachment";
 }
 elsif (!RT->Config->Get('TrustHTMLAttachments')) {
     $content_type = 'text/plain' if ($content_type =~ /^text\/html/i);
diff --git a/share/html/Download/Tabular/dhandler b/share/html/Download/Tabular/dhandler
index 3ca26f8..2b9bd96 100644
--- a/share/html/Download/Tabular/dhandler
+++ b/share/html/Download/Tabular/dhandler
@@ -61,7 +61,7 @@ my @cols = $class->BasicColumns or return;
 
 #$r->content_type( 'application/octet-stream' );
 $r->content_type( 'text/plain' );
-$r->headers_out->{'Content-Disposition'} = "attachment; filename=$filename";
+$r->headers_out->{'Content-Disposition'} = "attachment";
 $m->clear_buffer();
 $m->out(join("\t", "Id", map $_->[1], @cols), "\n");
 foreach my $id (@ids) {
diff --git a/share/html/Ticket/Attachment/dhandler b/share/html/Ticket/Attachment/dhandler
index d68d8bf..8dcaccc 100755
--- a/share/html/Ticket/Attachment/dhandler
+++ b/share/html/Ticket/Attachment/dhandler
@@ -70,7 +70,7 @@
      my $content_type = $AttachmentObj->ContentType || 'text/plain';
 
      if (RT->Config->Get('AlwaysDownloadAttachments')) {
-         $r->headers_out->{'Content-Disposition'} = "attachment; filename=" . $AttachmentObj->Filename;
+         $r->headers_out->{'Content-Disposition'} = "attachment";
      }
      elsif (!RT->Config->Get('TrustHTMLAttachments')) {
          $content_type = 'text/plain' if ($content_type =~ /^text\/html/i);

commit 4a1b62b3300832deb18a415c4aff941c1e16a037
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Fri Apr 19 16:48:49 2013 -0400

    Ensure consistent escaping of filenames in attachment URIs
    
    <% $value |u %> still applies HTML escaping before URI escaping, which
    is incorrect, as it leads to files named «a"test".txt» being linked with
    URIs like «a%26%2334%3Btest%26%2334%3B.txt» -- the URI-escaped version
    of «a"test".txt».
    
    Ensure that these URIs are only URI-escaped (yilding «a%22test%22.txt»
    in this example), such that browsers correctly parse the intended
    filename from the URI.

diff --git a/share/html/Admin/Tools/Shredder/Elements/Object/RT--Attachment b/share/html/Admin/Tools/Shredder/Elements/Object/RT--Attachment
index 052d848..e8a42c5 100644
--- a/share/html/Admin/Tools/Shredder/Elements/Object/RT--Attachment
+++ b/share/html/Admin/Tools/Shredder/Elements/Object/RT--Attachment
@@ -48,6 +48,6 @@
 <%ARGS>
 $Object => undef
 </%ARGS>
-<a href="<% RT->Config->Get('WebURL') %>/Ticket/Attachment/<% $Object->TransactionId %>/<% $Object->id %>/">
+<a href="<% RT->Config->Get('WebURL') %>/Ticket/Attachment/<% $Object->TransactionId %>/<% $Object->id %>/<% $Object->Filename |un %>">
 <% loc('Attachment') %>(<% loc('id') %>:<% $Object->id %>, <% loc('FileName') %>: <% $Object->Filename || loc('(no value)') %>)
 </a>
diff --git a/share/html/Elements/EditCustomFieldBinary b/share/html/Elements/EditCustomFieldBinary
index 4700b5d..c74bfd0 100644
--- a/share/html/Elements/EditCustomFieldBinary
+++ b/share/html/Elements/EditCustomFieldBinary
@@ -47,7 +47,7 @@
 %# END BPS TAGGED BLOCK }}}
 % while ( $Values and my $value = $Values->Next ) {
 %# XXX - let user download the file(s) here?
-<input type="checkbox" class="checkbox" name="<%$NamePrefix%><%$CustomField->Id%>-DeleteValueIds" class="CF-<%$CustomField->id%>-Edit" value="<% $value->Id %>" /><a href="<%RT->Config->Get('WebPath')%>/Download/CustomFieldValue/<% $value->Id %>/<% $value->Content %>"><% $value->Content %></a><br />
+<input type="checkbox" class="checkbox" name="<%$NamePrefix%><%$CustomField->Id%>-DeleteValueIds" class="CF-<%$CustomField->id%>-Edit" value="<% $value->Id %>" /><a href="<%RT->Config->Get('WebPath')%>/Download/CustomFieldValue/<% $value->Id %>/<% $value->Content |un %>"><% $value->Content %></a><br />
 % }
 % if (!$MaxValues || !$Values || $Values->Count < $MaxValues) {
 <input type="file" name="<% $NamePrefix %><% $CustomField->Id %>-Upload" class="CF-<%$CustomField->id%>-Edit" />
diff --git a/share/html/Elements/ShowCustomFieldBinary b/share/html/Elements/ShowCustomFieldBinary
index f2fb031..306f463 100644
--- a/share/html/Elements/ShowCustomFieldBinary
+++ b/share/html/Elements/ShowCustomFieldBinary
@@ -45,7 +45,7 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-<a href="<%RT->Config->Get('WebPath')%>/Download/CustomFieldValue/<% $Object->Id %>/<% $Object->Content %>"><% $Object->Content %></a>
+<a href="<%RT->Config->Get('WebPath')%>/Download/CustomFieldValue/<% $Object->Id %>/<% $Object->Content |un %>"><% $Object->Content %></a>
 <%ARGS>
 $Object => undef
 </%ARGS>
diff --git a/share/html/Elements/ShowCustomFieldImage b/share/html/Elements/ShowCustomFieldImage
index 0136e84..0779696 100644
--- a/share/html/Elements/ShowCustomFieldImage
+++ b/share/html/Elements/ShowCustomFieldImage
@@ -45,7 +45,7 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-%    my $url = RT->Config->Get('WebPath') . "/Download/CustomFieldValue/".$Object->Id.'/'.$Object->Content;
+%    my $url = RT->Config->Get('WebPath') . "/Download/CustomFieldValue/".$Object->Id.'/'.$m->interp->apply_escapes($Object->Content, 'u');
 <a href="<% $url %>"><% $Object->Content %></a>
 <img type="<% $Object->ContentType %>" height="64" src="<% $url %>" align="middle" />
 <%ARGS>
diff --git a/share/html/Ticket/Elements/ShowAttachments b/share/html/Ticket/Elements/ShowAttachments
index 078a149..c6962b0 100755
--- a/share/html/Ticket/Elements/ShowAttachments
+++ b/share/html/Ticket/Elements/ShowAttachments
@@ -82,7 +82,7 @@ if ($size) {
 </%PERL>
 
 <li><font size="-2">
-<a href="<%RT->Config->Get('WebPath')%>/Ticket/Attachment/<%$rev->TransactionId%>/<%$rev->Id%>/<%$rev->Filename | u%>">
+<a href="<%RT->Config->Get('WebPath')%>/Ticket/Attachment/<%$rev->TransactionId%>/<%$rev->Id%>/<%$rev->Filename | un %>">
 % my $desc = loc("[_1] ([_2]) by [_3]", $rev->CreatedAsString, $size, $m->scomp('/Elements/ShowUser', User => $rev->CreatorObj));
 <% $desc |n%>
 </a>

commit e393f3cc94ca5b0346fc0243d848666bc9af2751
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Wed Apr 17 20:04:14 2013 -0400

    Ensure that URLs placed in HTML attributes are escaped correctly, to prevent XSS injection

diff --git a/share/html/Elements/MakeClicky b/share/html/Elements/MakeClicky
index da202ac..f95fd58 100644
--- a/share/html/Elements/MakeClicky
+++ b/share/html/Elements/MakeClicky
@@ -48,6 +48,12 @@
 <%ONCE>
 use Regexp::Common qw(URI);
 
+my $escaper = sub {
+    my $content = shift;
+    RT::Interface::Web::EscapeUTF8( \$content );
+    return $content;
+};
+
 my %actions = (
     default => sub {
         my %args = @_;
@@ -55,15 +61,16 @@ my %actions = (
     },
     url => sub {
         my %args = @_;
+        $args{value} = $escaper->($args{value});
         my $result = qq{[<a target="new" href="$args{value}">}. loc('Open URL') .qq{</a>]};
         return $args{value} . qq{ <span class="clickylink">$result</span>};
     },
     url_overwrite => sub {
         my %args = @_;
-        my $result = qq{<a target="new" href="$args{'value'}">};
+        my $result = qq{<a target="new" href="} . $escaper->($args{'value'}) . q{">};
         #XXX: use spaces here. ­ <wbr> are not well supported :(
         $args{'value'} =~ s/(\S{30})/$1 /g;
-        $result .= qq{$args{'value'}</a>};
+        $result .= $escaper->($args{value}).qq{</a>};
         return qq{<span class="clickylink">$result</span>};
     },
 );
@@ -91,12 +98,6 @@ my $handle = sub {
     }
 };
 
-my $escaper = sub {
-    my $content = shift;
-    RT::Interface::Web::EscapeUTF8( \$content );
-    return $content;
-};
-
 # Hook to add more Clicky types
 # XXX Have to have Page argument, as Mason gets caller wrong in Callback?
 # This happens as we are in <%ONCE> block

commit 3a23d71a9e5a9da856d463c19997bc37f18dc4bc
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Wed Apr 24 23:51:59 2013 -0400

    Ensure that the default replacement does not pass through unescaped content
    
    This is only relevant in the case of a MakeClicky misconfiguration.

diff --git a/share/html/Elements/MakeClicky b/share/html/Elements/MakeClicky
index f95fd58..583e70f 100644
--- a/share/html/Elements/MakeClicky
+++ b/share/html/Elements/MakeClicky
@@ -57,7 +57,7 @@ my $escaper = sub {
 my %actions = (
     default => sub {
         my %args = @_;
-        return $args{value};
+        return $escaper->($args{value});
     },
     url => sub {
         my %args = @_;

commit f1e5e67a7299c850584c814ebef9807aeeec932e
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Thu Apr 18 17:59:09 2013 -0400

    Use File::Temp for non-predictable temporary filenames
    
    Previously, RT wrote to /tmp/rt.form.$$, which is a semi-predictable
    filename.  A malicious user could symlink a file of their choosing into
    that location, which a privileged user running bin/rt would then
    overwrite.  While this race condition would be difficult to exploit, as
    it leaves the attacker with no control over the contents of the file,
    and relies on beating the race condition, it is still potentially
    dangerous.
    
    Use File::Temp to atomically generate a non-predictable filename and
    open it for writing.

diff --git a/bin/rt.in b/bin/rt.in
index d89f47e..9cf08fe 100755
--- a/bin/rt.in
+++ b/bin/rt.in
@@ -61,6 +61,7 @@ use HTTP::Request::Common;
 use HTTP::Headers;
 use Term::ReadLine;
 use Time::Local; # used in prettyshow
+use File::Temp;
 
 # strong (GSSAPI based) authentication is supported if the server does provide
 # it and the perl modules GSSAPI and LWP::Authen::Negotiate are installed
@@ -1473,16 +1474,19 @@ sub read_passwd {
 
 sub vi {
     my ($text) = @_;
-    my $file = "/tmp/rt.form.$$";
     my $editor = $ENV{EDITOR} || $ENV{VISUAL} || "vi";
 
-    local *F;
     local $/ = undef;
 
-    open(F, '>', $file) or die "$file: $!\n"; print F $text; close(F);
-    system($editor, $file) && die "Couldn't run $editor.\n";
-    open(F, '<', $file) or die "$file: $!\n"; $text = <F>; close(F);
-    unlink($file);
+    my $handle = File::Temp->new;
+    print $handle $text;
+    close($handle);
+
+    system($editor, $handle->filename) && die "Couldn't run $editor.\n";
+
+    open( $handle, '<', $handle->filename ) or die "$handle: $!\n";
+    $text = <$handle>;
+    close($handle);
 
     return $text;
 }

commit b7d7ba365f99a72528ac763dddb96a142131c4b7
Merge: fe41b3d 4a1b62b
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri May 3 10:30:57 2013 -0700

    Merge remote-tracking branch 'private/security/3.8/attachment-filename-escaping' into security/3.8.17-releng


commit 23a1e4d4481f0a742a7774e811c28a21879aa45f
Merge: b7d7ba3 d3b1c44
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri May 3 10:31:01 2013 -0700

    Merge remote-tracking branch 'private/security/3.8/deny-direct-callback-access' into security/3.8.17-releng


commit 7b6583c6546f297c5d34127f5cde7eb9cbb8eff0
Merge: 23a1e4d 0af8930
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri May 3 10:31:02 2013 -0700

    Merge remote-tracking branch 'private/security/3.8/escape-attachment-filename' into security/3.8.17-releng


commit 0c37bfdf2146d07253564bfad3b9238478a97783
Merge: 7b6583c 3a23d71
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri May 3 10:31:04 2013 -0700

    Merge remote-tracking branch 'private/security/3.8/escape-makeclicky' into security/3.8.17-releng


commit 82c59453776390a1e70162a0b31386af27fdeea7
Merge: 0c37bfd 3a45201
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri May 3 10:31:05 2013 -0700

    Merge remote-tracking branch 'private/security/3.8/protect-columnmap-comp' into security/3.8.17-releng


commit 31440edc5b59dfee96e903ce9400ee354299894d
Merge: 82c5945 f1e5e67
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri May 3 10:31:07 2013 -0700

    Merge remote-tracking branch 'private/security/3.8/rt-predictable-tmpfile' into security/3.8.17-releng


commit c1b9a4a0cfbb6db78ed8b6f255dc41bd226995b7
Merge: 31440ed e0b31ea
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Fri May 3 10:31:08 2013 -0700

    Merge remote-tracking branch 'private/security/3.8/subject-newlines' into security/3.8.17-releng


commit 201cc3405e2c133c09a26ec8e1f9a6ef74fe866c
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Wed May 22 12:03:04 2013 -0700

    Bump version for 3.8.17

diff --git a/configure.ac b/configure.ac
index 5104d44..b6c8453 100755
--- a/configure.ac
+++ b/configure.ac
@@ -7,7 +7,7 @@ AC_REVISION($Revision$)dnl
 
 dnl Setup autoconf
 AC_PREREQ([2.53])
-AC_INIT(RT, 3.8.HEAD, [rt-bugs at bestpractical.com])
+AC_INIT(RT, 3.8.17, [rt-bugs at bestpractical.com])
 AC_CONFIG_SRCDIR([lib/RT.pm.in])
 
 dnl Extract RT version number components

commit 91d83d3713e4903c470f585542ed259b9d9bb928
Merge: 8072ea3 201cc34
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Wed May 22 12:09:09 2013 -0700

    Merge branch 'security/3.8.17-releng' into 3.8-trunk
    
    Version in configure.ac reverted back to 3.8.HEAD.
    
    Resolves:
    
        CVE-2013-3368
        CVE-2013-3369
        CVE-2013-3370
        CVE-2013-3371
        CVE-2013-3372
        CVE-2013-3373
        CVE-2013-3374


-----------------------------------------------------------------------


More information about the Rt-commit mailing list