[Rt-commit] rt branch, 4.2-trunk, updated. rt-4.2.10rc1-3-g7dfb029
Alex Vandiver
alexmv at bestpractical.com
Tue Feb 24 16:45:28 EST 2015
The branch, 4.2-trunk has been updated
via 7dfb02918c9994499a74d7022ee7de1ee99149ab (commit)
via 1dfba9c4361a73f508f1ff5e41f284b89834c02e (commit)
via 626097574ebdb5e18477e6c04a8b7859b1fe4555 (commit)
from a9a35134f25d9a1854b929e86323cdba6470d1f9 (commit)
Summary of changes:
docs/web_deployment.pod | 2 +-
lib/RT/EmailParser.pm | 6 ++----
lib/RT/I18N.pm | 6 ------
lib/RT/Template.pm | 3 ---
4 files changed, 3 insertions(+), 14 deletions(-)
- Log -----------------------------------------------------------------
commit 626097574ebdb5e18477e6c04a8b7859b1fe4555
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Feb 24 15:08:51 2015 -0500
Remove vestiges from when RT tried to be taint-safe
Notable because it restricts the paths that RT can be installed under --
for instance, paths containing unusual symbols (?, or @ from AFS) fail
the given regex.
As the rest of RT is no longer taint-safe, remove this vestigal code.
diff --git a/lib/RT/I18N.pm b/lib/RT/I18N.pm
index a9fc52e..ba7cd88 100644
--- a/lib/RT/I18N.pm
+++ b/lib/RT/I18N.pm
@@ -101,12 +101,6 @@ sub Init {
# Load language-specific functions
foreach my $file ( File::Glob::bsd_glob(substr(__FILE__, 0, -3) . "/*.pm") ) {
- unless ( $file =~ /^([-\w\s\.\/\\~:]+)$/ ) {
- warn("$file is tainted. not loading");
- next;
- }
- $file = $1;
-
my ($lang) = ($file =~ /([^\\\/]+?)\.pm$/);
next unless grep $_ eq '*' || $_ eq $lang, @lang;
require $file;
commit 1dfba9c4361a73f508f1ff5e41f284b89834c02e
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Feb 24 16:03:05 2015 -0500
Remove no-op untainting regexes
As the rest of RT is no longer taint-safe, remove this vestigal code.
diff --git a/lib/RT/EmailParser.pm b/lib/RT/EmailParser.pm
index 2cfb1d1..cfb5b7b 100644
--- a/lib/RT/EmailParser.pm
+++ b/lib/RT/EmailParser.pm
@@ -122,10 +122,8 @@ sub SmartParseMIMEEntityFromScalar {
close($fh);
if ( -f $temp_file ) {
- # We have to trust the temp file's name -- untaint it
- $temp_file =~ /(.*)/;
- my $entity = $self->ParseMIMEEntityFromFile( $1, $args{'Decode'}, $args{'Exact'} );
- unlink($1);
+ my $entity = $self->ParseMIMEEntityFromFile( $temp_file, $args{'Decode'}, $args{'Exact'} );
+ unlink($temp_file);
return $entity;
}
}
diff --git a/lib/RT/Template.pm b/lib/RT/Template.pm
index 23f150b..39651d5 100644
--- a/lib/RT/Template.pm
+++ b/lib/RT/Template.pm
@@ -487,9 +487,6 @@ sub _ParseContent {
}
my $content = $self->SUPER::_Value('Content');
- # We need to untaint the content of the template, since we'll be working
- # with it
- $content =~ s/^(.*)$/$1/;
$args{'Ticket'} = delete $args{'TicketObj'} if $args{'TicketObj'};
$args{'Transaction'} = delete $args{'TransactionObj'} if $args{'TransactionObj'};
commit 7dfb02918c9994499a74d7022ee7de1ee99149ab
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Feb 24 16:33:07 2015 -0500
Suggest using a UNIX socket for lighttpd, which may be more reliable
Fixes: I#30626
diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod
index 79a9fb4..fad3c50 100644
--- a/docs/web_deployment.pod
+++ b/docs/web_deployment.pod
@@ -192,7 +192,7 @@ With the nginx configuration:
fastcgi.server = (
"/" => (
"rt" => (
- "port" => "9000",
+ "socket" => "/opt/rt4/var/socket",
"bin-path" => "/opt/rt4/sbin/rt-server.fcgi",
"check-local" => "disable",
"fix-root-scriptname" => "enable",
-----------------------------------------------------------------------
More information about the rt-commit
mailing list