[Rt-commit] rt branch, 4.2/showhistory-paths-and-titlebars, repushed

Tue May 27 17:20:14 EDT 2014

The branch 4.2/showhistory-paths-and-titlebars was deleted and repushed:
       was afbf0aba932d41b6b46a8677782fe9b1c176444f
       now 1aa631b9bd7f23deb1ca4aef767dd41151cf9a2a

1:  47bf64f ! 1:  324e22d Assuming relative paths in ShowHistory breaks Approvals history display
    @@ -17,10 +17,9 @@
         
         Broken when moving to relative-by-default paths in 8274e2b6.
         
    -    I don't think you can jam something malicious into PathPrefix since
    -    /Elements/ShowHistory isn't directly callable and the JS helper doesn't
    -    pass extra arguments, and I don't see other callsites passing %ARGS to
    -    ShowHistory.
    +    Since /Elements/ShowHistory isn't directly callable and the JS helper doesn't
    +    pass extra arguments, there are currently no ways to pass a malicious
    +    PathPrefix in from user supplied data.
     
     diff --git a/share/html/Approvals/Display.html b/share/html/Approvals/Display.html
     --- a/share/html/Approvals/Display.html
    @@ -48,6 +47,19 @@
          </div>
        </div>
     
    +diff --git a/share/html/Approvals/Elements/ShowDependency b/share/html/Approvals/Elements/ShowDependency
    +--- a/share/html/Approvals/Elements/ShowDependency
    ++++ b/share/html/Approvals/Elements/ShowDependency
    +@@
    +         $text .= $head;
    +     }
    + 
    +-    $text .= $m->scomp('/Elements/ShowHistory' , Object => $link->BaseObj, ShowTitle => 0, ShowHeaders => 0, ShowDisplayModes => 0, ShowTitleBarCommands => 0);
    ++    $text .= $m->scomp('/Elements/ShowHistory' , Object => $link->BaseObj, ShowTitle => 0, ShowHeaders => 0, ShowDisplayModes => 0, ShowTitleBarCommands => 0, PathPrefix => RT->Config->Get('WebPath')."/Ticket/");
    + 
    +     $head .= $m->scomp('/Widgets/TitleBoxEnd');
    +     $text .= $m->scomp('/Widgets/TitleBoxEnd');
    +
     diff --git a/share/html/Elements/ShowHistory b/share/html/Elements/ShowHistory
     --- a/share/html/Elements/ShowHistory
     +++ b/share/html/Elements/ShowHistory
2:  bb86257 = 2:  18957ce In 4.0, ShowTitleBarCommands didn't hide Outgoing Email links
3:  5f78709 = 3:  18526eb Whitespace only change
4:  afbf0ab ! 4:  1aa631b Switch to ShowActions from ShowTitleBarCommands
    @@ -41,8 +41,8 @@
              $text .= $head;
          }
      
    --    $text .= $m->scomp('/Elements/ShowHistory' , Object => $link->BaseObj, ShowTitle => 0, ShowHeaders => 0, ShowDisplayModes => 0, ShowTitleBarCommands => 0);
    -+    $text .= $m->scomp('/Elements/ShowHistory' , Object => $link->BaseObj, ShowTitle => 0, ShowHeaders => 0, ShowDisplayModes => 0, ShowActions => 0);
    +-    $text .= $m->scomp('/Elements/ShowHistory' , Object => $link->BaseObj, ShowTitle => 0, ShowHeaders => 0, ShowDisplayModes => 0, ShowTitleBarCommands => 0, PathPrefix => RT->Config->Get('WebPath')."/Ticket/");
    ++    $text .= $m->scomp('/Elements/ShowHistory' , Object => $link->BaseObj, ShowTitle => 0, ShowHeaders => 0, ShowDisplayModes => 0, ShowActions => 0, PathPrefix => RT->Config->Get('WebPath')."/Ticket/");
      
          $head .= $m->scomp('/Widgets/TitleBoxEnd');
          $text .= $m->scomp('/Widgets/TitleBoxEnd');