[Rt-commit] rt branch, master, updated. rt-4.2.12-334-g72db35f
? sunnavy
sunnavy at bestpractical.com
Mon Oct 26 13:24:26 EDT 2015
The branch, master has been updated
via 72db35fb2a05c7e8aa6229221f79da74585b3d26 (commit)
via 710898013a94b9ecd9888cea06c8c9ec1a837d98 (commit)
via 3672e3ec9df17b5c9beb6ce7f1897889a08a8c9a (commit)
via d1cc4d2f4ad820315c62483565a5bca271aba900 (commit)
via c5cabab4c364a2e369e5a7547218e056f282c97c (commit)
via 4858f171db71515410b10ed75f49d6ef0757371e (commit)
via 3a07019ca8b1586b18f5d230fdf58d27cc972145 (commit)
via fcaba6d291d8b32d82588d38b633e7269c272ad5 (commit)
via efa549951b8a906deceb8face6cb35ca164bac9b (commit)
via d18b08e4fee0f619f20c447903c0fb1e9c04a6b8 (commit)
via 220d4b671c10dba4bbdb5c8659dca0dea5251acf (commit)
via 0d81b058d5af67525cf2b71f1f1dc8e86263eb48 (commit)
via dd1f1e4a6b0d26b7118a43b7729417dea84131bc (commit)
via 3a23a996cefd131df5fbbf09024e5769aecdebb3 (commit)
via 1f4423026ce8942e9a4a7800c7fc1668de8a1be2 (commit)
via d073798abd91cc9451eba6a94f88d574242e6440 (commit)
via 0c125c7007f39a200e15ebbacd303342ecdac30f (commit)
via 524cec7e9d85da5af75e6f94c81de9ccfdcb1a82 (commit)
via cdf9c9fe4297aebb158e75a0e35faf79b29a32fb (commit)
via 4c0d85c3a090909df644e7c46926bcc3c1ef5703 (commit)
via a2e2d37657a7424ddc779b2d639d3cb1980dd084 (commit)
via b945b0da211ed86c323fbab522f63e9662934ba9 (commit)
via cf1c42a8a851e17a9fd6844d9f783e77cc12fbbc (commit)
via b833421f783c8485184b9ddb6a87cea9a1345aa0 (commit)
via 1552895ea7b58847f5e25e9d0a894278a129e7dc (commit)
via 9a47855f2f7fa45d225d692acde1cc82676c1d1b (commit)
via 747f8f369636283c3efb019e8919e2fbf428ff45 (commit)
via 1704c2c7e4274999d1e720b1a7e67663b7afb8ff (commit)
via ac1ab02d08b58cfae78ec1cbc5b291eb0420999d (commit)
via 0d7cfa1fb8f2d205f66f002cd66047a35fe939b7 (commit)
via 2b8eb8662ae484c391dabc4781bc4ac7277a4fa1 (commit)
via 710b5453eaa43fae6cae75ba9ad195a4ab2620bd (commit)
via 935eebcb8ea4b26f7b48ab19a628ed4c4c5236fe (commit)
via 76ce2968dcb2f783640e4f7f74b466e5ebe2cd9e (commit)
via c80e462eee027abdfe91835a6acaa65b001d608c (commit)
via d3399037fce182c6ef9cb305be25c974659e4fbc (commit)
via 7239117ded55600b50640e926ed4a47f783345e8 (commit)
via 4f61b8f67ecb7433b557c75a26469f107c5d666c (commit)
via 974ba885bb706be0ef2e36f1864924546359ca6b (commit)
via 5d72f9ce8e88c8afcf40abf9a586b16bf63e1600 (commit)
via 4ec786bb4743f67a35a634c1bf43b13d3d3b39a9 (commit)
via 46e61e019b20af8332a7d95431f83ad675510173 (commit)
via f097857f24fa80c4113d3aef260ca8292a339777 (commit)
via 36a461947b00b105336adb4997d1c7767d8484c4 (commit)
via 4507b0d416a32684a5e55340814beff4abed1a4e (commit)
via 31b587a77c343e22e38a9e1b95b0fe1e88abb050 (commit)
via 67d517ba3421ba462e349c73207a627d137ef8ac (commit)
via 5f014996c6da4138a1576006b8664cd838196a7c (commit)
via 1b636e5536904ded6ab2668ab215bdb6a38bc407 (commit)
via 692227c0278082082fe267160aed688b0907307e (commit)
via 183b20a0c6610294b351ee388287d5684c83ba76 (commit)
via 24663fe28336f2acab281000c8a5b6918ffb3353 (commit)
via 67e3d157e3e3bbe2a76819a9c4dd46ab44f71771 (commit)
via 38f98d4f313a4c0e19b5ec517f4f6492928e455a (commit)
via 6640a098e6c32445fc0c7eab64beaddecc742a75 (commit)
via 671a9b2820f6e04985b462fde2df36e2ad0056f0 (commit)
via 98f970ab8dfcfd46a599ad3d76353f122537c6df (commit)
via 9fc0c15804ac1553f5ec174be08820a0fb37f4ca (commit)
via fb4340644e235591f03efda5d7dff69c8321416e (commit)
via 96f83f964a5fc2f94609c1914c30a62e6051a2e1 (commit)
via 7405da03ef50bbc7cab1126c0be1e3697a3fdffa (commit)
via a9fe2abcbf4795f14b2ad96a518050fe4c7cc244 (commit)
via cee7460a9217d92d4067dd095cee0a18870d386e (commit)
via 73b6e5a3f70848b46855b358223bf5420ff06023 (commit)
via ec6b4458eddfb2bce758f76a335e34b84c3c62f2 (commit)
via 0a1fda72846b1b6499ff68f29b8a318945455099 (commit)
via d8b700cba4293b3079f11bf786f9e920f9146763 (commit)
via fb03b4bcb0c76baee597fe5548b0cdd646d2d50b (commit)
via 0490ac93eefa57757e83ca549eed3adef51c5cbd (commit)
via 734fe0ae28312911a17b6223c55bd5e0a2749823 (commit)
via 072a3135a6427807a1ec407f8f31c244ce7c0f64 (commit)
via 0cf3eb779a8ce2a26771bf9378ef44553ce2437c (commit)
via a02495feaa1e7bdec10ecd06c10c328f2762b6dc (commit)
via 340d4b20efed3e52b78334c1d24edb6bb098dad7 (commit)
via 31c15b65d9d593e3fca4f2b27b29343a8937dadc (commit)
via aaa07b295e036a3a2f411a07ff8688fe11c7dee2 (commit)
via 0c5d3842926dcf05fe227d8f8d57f41e517c09b2 (commit)
via ccbf51e6a6a32eebab507c92c9e976715969fcb9 (commit)
via 88d7c508d224fc09f7b1430a4945643d28e469e6 (commit)
via 73c740ed897af41bfd84b3ebc3dd542bfe272511 (commit)
via c6d4f60eb5b718d82257b0c98c48a30b6780a332 (commit)
via 8e8ae8f46736b08a0116c44e854388765ec62b59 (commit)
via 6a45267a7dfdc259f66af2ba318bf83182ed935e (commit)
via f788366da321e4ddb3f3a8a2c6f7eba41baf6817 (commit)
via 433f0a09a0f704b4ad0200643d0fe6f87a4681c2 (commit)
via 1f7a3d27fa20af776e3ff16e65a3092774ffa4f6 (commit)
via 5b956a27e5eb1ca49f019f6c28319eab6042ad85 (commit)
via 5e5ab5bad988f8bee3ea94c1b9e8afa8cbd8098d (commit)
from c2ef5e65f9fd44ad58f2ba6ab8ebd4cea671c388 (commit)
Summary of changes:
.gitignore | 4 +-
README | 14 +-
bin/rt-crontool.in | 68 +++---
configure.ac | 4 +-
devel/tools/rt-apache | 97 +++++----
docs/format-strings.pod | 234 +++++++++++++++++++++
etc/RT_Config.pm.in | 19 +-
etc/RT_SiteConfig.pm | 7 +-
etc/upgrade/3.3.0/indexes | 25 +++
etc/upgrade/3.3.0/schema.Oracle | 7 -
etc/upgrade/3.3.0/schema.Pg | 6 -
etc/upgrade/3.3.0/schema.mysql | 5 -
etc/upgrade/3.7.81/indexes | 7 +
etc/upgrade/3.7.81/schema.Oracle | 2 -
etc/upgrade/3.7.81/schema.mysql | 2 -
etc/upgrade/3.8.3/indexes | 8 +
etc/upgrade/3.8.3/schema.Pg | 3 -
lib/RT/Action/SendEmail.pm | 38 +++-
lib/RT/Crypt.pm | 2 +-
lib/RT/Crypt/GnuPG.pm | 8 +-
lib/RT/CustomField.pm | 5 +
lib/RT/Graph/Tickets.pm | 15 +-
lib/RT/Interface/Email.pm | 2 +-
lib/RT/Interface/Web.pm | 85 ++++++--
lib/RT/Queue.pm | 99 +++++----
lib/RT/Report/Tickets.pm | 23 +-
lib/RT/Shredder/Plugin/Users.pm | 51 ++++-
lib/RT/Test.pm | 2 +-
lib/RT/Test/Apache.pm | 24 ++-
lib/RT/Ticket.pm | 9 +-
lib/RT/Transaction.pm | 76 ++++---
sbin/rt-email-dashboards.in | 9 +-
sbin/rt-test-dependencies.in | 6 +-
.../Admin/Tools/Shredder/Elements/PluginArguments | 9 +-
share/html/Articles/Article/ExtractFromTicket.html | 2 +-
share/html/Elements/CryptStatus | 10 +-
share/html/Elements/EditLink | 2 +-
.../{RT__Template => RT__Transaction}/ColumnMap | 79 ++++---
share/html/Elements/SelectNewTicketQueue | 11 +-
share/html/Elements/ShowLinksOfType | 2 +-
share/html/REST/1.0/Forms/ticket/links | 4 +-
share/html/Search/Elements/BuildFormatString | 10 +-
share/html/Search/Elements/EditSearches | 4 +-
share/html/SelfService/Create.html | 2 +-
share/html/Ticket/Create.html | 4 +-
share/html/Ticket/Elements/ShowAttachments | 3 +-
share/html/Ticket/Elements/ShowBasics | 4 +
share/html/Ticket/Elements/ShowQueue | 10 +
share/html/Ticket/Elements/ShowRequestor | 8 +-
share/html/Ticket/Elements/ShowSummary | 5 +-
share/html/Ticket/Graphs/index.html | 16 +-
share/html/Widgets/Form/Boolean | 18 +-
share/html/Widgets/SelectionBox | 4 +-
share/html/m/ticket/create | 2 +-
share/html/m/ticket/show | 2 +-
share/static/css/base/misc.css | 4 +
share/static/css/rudder/ticket.css | 10 +
share/static/js/util.js | 2 +-
t/api/password-types.t | 3 +-
...2+fastcgi.conf.in => apache2.4+fastcgi.conf.in} | 9 +-
...mod_perl.conf.in => apache2.4+mod_perl.conf.in} | 9 +-
t/mail/html-outgoing.t | 3 +
t/security/CVE-2012-4733-status.t | 26 +++
.../CVE-2013-3373-template-header-injection.t | 32 +++
t/shredder/02cfs.t | 43 ++++
t/shredder/03plugin_users.t | 2 +-
t/web/csrf.t | 49 +++++
67 files changed, 1035 insertions(+), 334 deletions(-)
create mode 100644 docs/format-strings.pod
create mode 100644 etc/upgrade/3.3.0/indexes
create mode 100644 etc/upgrade/3.7.81/indexes
delete mode 100644 etc/upgrade/3.7.81/schema.Oracle
delete mode 100644 etc/upgrade/3.7.81/schema.mysql
create mode 100644 etc/upgrade/3.8.3/indexes
delete mode 100644 etc/upgrade/3.8.3/schema.Pg
copy share/html/Elements/{RT__Template => RT__Transaction}/ColumnMap (59%)
copy t/data/configs/{apache2.2+fastcgi.conf.in => apache2.4+fastcgi.conf.in} (88%)
copy t/data/configs/{apache2.2+mod_perl.conf.in => apache2.4+mod_perl.conf.in} (92%)
create mode 100644 t/security/CVE-2012-4733-status.t
create mode 100644 t/security/CVE-2013-3373-template-header-injection.t
create mode 100644 t/shredder/02cfs.t
- Log -----------------------------------------------------------------
commit 72db35fb2a05c7e8aa6229221f79da74585b3d26
Merge: c2ef5e6 7108980
Author: sunnavy <sunnavy at bestpractical.com>
Date: Mon Oct 26 21:25:51 2015 +0800
Merge branch '4.2-trunk'
diff --cc README
index 49edc68,85d7b2d..4163ba4
--- a/README
+++ b/README
@@@ -220,12 -216,9 +220,14 @@@ GENERAL INSTALLATIO
perldoc /opt/rt4/bin/rt-mailgate
-11) Set up automatic backups for RT and its data as described in
- the docs/backups.pod document.
+11) Set up full text search
+ Full text search (FTS) without database indexing is a very slow operation,
+ and is thus disabled by default. You'll need to follow the instructions in
+ docs/full_text_indexing.pod to enable FTS.
+
++12) Set up automatic backups for RT and its data as described in
++ the docs/backups.pod document.
GETTING HELP
------------
diff --cc lib/RT/Interface/Web.pm
index 1bd28ce,0860404..db0b5f6
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@@ -1308,15 -1299,15 +1308,15 @@@ sub ValidateWebConfig
return if $_has_validated_web_config;
$_has_validated_web_config = 1;
- my $port = $ENV{SERVER_PORT};
- my $host = $ENV{HTTP_X_FORWARDED_HOST} || $ENV{HTTP_X_FORWARDED_SERVER}
- || $ENV{HTTP_HOST} || $ENV{SERVER_NAME};
+ my $port = RequestENV('SERVER_PORT');
+ my $host = RequestENV('HTTP_X_FORWARDED_HOST') || RequestENV('HTTP_X_FORWARDED_SERVER')
+ || RequestENV('HTTP_HOST') || RequestENV('SERVER_NAME');
($host, $port) = ($1, $2) if $host =~ /^(.*?):(\d+)$/;
- if ( $port != RT->Config->Get('WebPort') and not $ENV{'rt.explicit_port'}) {
+ if ( $port != RT->Config->Get('WebPort') and not RequestENV('rt.explicit_port')) {
$RT::Logger->warn("The requested port ($port) does NOT match the configured WebPort ($RT::WebPort). "
."Perhaps you should Set(\$WebPort, $port); in RT_SiteConfig.pm, "
- ."otherwise your internal links may be broken.");
+ ."otherwise your internal hyperlinks may be broken.");
}
if ( $host ne RT->Config->Get('WebDomain') ) {
@@@ -1328,11 -1319,11 +1328,11 @@@
# Unfortunately, there is no reliable way to get the _path_ that was
# requested at the proxy level; simply disable this warning if we're
# proxied and there's a mismatch.
- my $proxied = $ENV{HTTP_X_FORWARDED_HOST} || $ENV{HTTP_X_FORWARDED_SERVER};
- if ($ENV{SCRIPT_NAME} ne RT->Config->Get('WebPath') and not $proxied) {
- $RT::Logger->warn("The requested path ($ENV{SCRIPT_NAME}) does NOT match the configured WebPath ($RT::WebPath). "
- ."Perhaps you should Set(\$WebPath, '$ENV{SCRIPT_NAME}'); in RT_SiteConfig.pm, "
+ my $proxied = RequestENV('HTTP_X_FORWARDED_HOST') || RequestENV('HTTP_X_FORWARDED_SERVER');
+ if (RequestENV('SCRIPT_NAME') ne RT->Config->Get('WebPath') and not $proxied) {
+ $RT::Logger->warn("The requested path ('" . RequestENV('SCRIPT_NAME') . "') does NOT match the configured WebPath ($RT::WebPath). "
+ ."Perhaps you should Set(\$WebPath, '" . RequestENV('SCRIPT_NAME') . "' in RT_SiteConfig.pm, "
- ."otherwise your internal links may be broken.");
+ ."otherwise your internal hyperlinks may be broken.");
}
}
diff --cc sbin/rt-test-dependencies.in
index 779cfad,188b52a..2cb4102
--- a/sbin/rt-test-dependencies.in
+++ b/sbin/rt-test-dependencies.in
@@@ -244,8 -236,8 +244,9 @@@ Mail::Mailer 1.5
MIME::Entity 5.504
Module::Refresh 0.03
Module::Versions::Report 1.05
+ Encode 2.64
Net::CIDR
+Net::IP
Plack 1.0002
Plack::Handler::Starlet
Regexp::Common
diff --cc share/html/Elements/EditLink
index 3c9aa42,0000000..cd37fee
mode 100644,000000..100644
--- a/share/html/Elements/EditLink
+++ b/share/html/Elements/EditLink
@@@ -1,70 -1,0 +1,70 @@@
+%# BEGIN BPS TAGGED BLOCK {{{
+%#
+%# COPYRIGHT:
+%#
+%# This software is Copyright (c) 1996-2015 Best Practical Solutions, LLC
+%# <sales at bestpractical.com>
+%#
+%# (Except where explicitly superseded by other copyright notices)
+%#
+%#
+%# LICENSE:
+%#
+%# This work is made available to you under the terms of Version 2 of
+%# the GNU General Public License. A copy of that license should have
+%# been provided with this software, but in any event can be snarfed
+%# from www.gnu.org.
+%#
+%# This work is distributed in the hope that it will be useful, but
+%# WITHOUT ANY WARRANTY; without even the implied warranty of
+%# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+%# General Public License for more details.
+%#
+%# You should have received a copy of the GNU General Public License
+%# along with this program; if not, write to the Free Software
+%# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+%# 02110-1301 or visit their web page on the internet at
+%# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+%#
+%#
+%# CONTRIBUTION SUBMISSION POLICY:
+%#
+%# (The following paragraph is not intended to limit the rights granted
+%# to you to modify and distribute this software under the terms of
+%# the GNU General Public License and is only of importance to you if
+%# you choose to contribute your changes and enhancements to the
+%# community by submitting them to Best Practical Solutions, LLC.)
+%#
+%# By intentionally submitting any modifications, corrections or
+%# derivatives to this work, or any other work intended for use with
+%# Request Tracker, to Best Practical Solutions, LLC, you confirm that
+%# you are the copyright holder for those contributions and you grant
+%# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable,
+%# royalty-free, perpetual, license to use, copy, create derivative
+%# works based on those contributions, and sublicense and distribute
+%# those contributions and any derivatives thereof.
+%#
+%# END BPS TAGGED BLOCK }}}
+
+% if ( $Mode eq 'Target' ) {
+ <input type="checkbox" class="checkbox" id="DeleteLink--<%$Link->Type%>-<%$Link->Target%>" name="DeleteLink--<%$Link->Type%>-<%$Link->Target%>" value="1" />
+ <label for="DeleteLink--<%$Link->Type%>-<%$Link->Target%>"><& ShowLink, URI => $Link->TargetURI &></label>
+% } else {
+ <input type="checkbox" class="checkbox" id="DeleteLink-<%$Link->Base%>-<%$Link->Type%>-" name="DeleteLink-<%$Link->Base%>-<%$Link->Type%>-" value="1" />
+ <label for="DeleteLink-<%$Link->Base%>-<%$Link->Type%>-"><& ShowLink, URI => $Link->BaseURI &></label>
+% }
+
+<br />
+
+<%INIT>
+my $ModeObj = $Mode . 'Obj';
+return if UNIVERSAL::isa($Link->$ModeObj, 'RT::Article') && $Link->$ModeObj->Disabled;
+
+# Skip reminders
- return if $Mode eq 'Base' && $Link->Type eq 'RefersTo' && UNIVERSAL::isa($Link->BaseObj, 'RT::Ticket') && $Link->BaseObj->Type eq 'reminder';
++return if $Mode eq 'Base' && $Link->Type eq 'RefersTo' && UNIVERSAL::isa($Link->BaseObj, 'RT::Ticket') && $Link->BaseObj->__Value('Type') eq 'reminder';
+</%INIT>
+
+<%ARGS>
+$Link
+$Mode
+</%ARGS>
diff --cc share/html/Elements/ShowLinksOfType
index 5a259c0,9543c9a..ef96da4
--- a/share/html/Elements/ShowLinksOfType
+++ b/share/html/Elements/ShowLinksOfType
@@@ -89,10 -89,9 +89,10 @@@ my $ModeObj = "${mode}Obj"
my (@active, @inactive, @not_tickets);
while (my $link = $links->Next) {
my $ToObj = $link->$ModeObj;
+ next if UNIVERSAL::isa($ToObj,'RT::Article') && $ToObj->Disabled;
if ($ToObj and $ToObj->isa('RT::Ticket')) {
next if $Type eq "ReferredToBy"
- and $ToObj->Type eq 'reminder';
+ and $ToObj->__Value('Type') eq 'reminder';
if ( $ToObj->QueueObj->IsInactiveStatus( $ToObj->Status ) ) {
push @inactive, $link;
diff --cc share/html/REST/1.0/Forms/ticket/links
index 45a0a40,1b851b9..4ef2eba
--- a/share/html/REST/1.0/Forms/ticket/links
+++ b/share/html/REST/1.0/Forms/ticket/links
@@@ -89,10 -89,7 +89,10 @@@ if ($changes)
my %old;
my $field = $lfields{$key}->{Mode};
+ my $mode_obj = $field . 'Obj';
while (my $link = $ticket->$key->Next) {
+ next if UNIVERSAL::isa($link->$mode_obj, 'RT::Article') && $link->$mode_obj->Disabled;
- next if $field eq 'Base' && $link->Type eq 'RefersTo' && $link->BaseObj->Type eq 'reminder';
++ next if $field eq 'Base' && $link->Type eq 'RefersTo' && $link->BaseObj->__Value('Type') eq 'reminder';
$old{$link->$field} = 1;
}
@@@ -160,10 -157,7 +160,10 @@@ else
my @val;
my $field = $lfields{$key}->{Mode};
+ my $mode_obj = $field . 'Obj';
while (my $link = $ticket->$key->Next) {
+ next if UNIVERSAL::isa($link->$mode_obj, 'RT::Article') && $link->$mode_obj->Disabled;
- next if $field eq 'Base' && $link->Type eq 'RefersTo' && UNIVERSAL::isa($link->$mode_obj, 'RT::Ticket') && $link->BaseObj->Type eq 'reminder';
++ next if $field eq 'Base' && $link->Type eq 'RefersTo' && UNIVERSAL::isa($link->$mode_obj, 'RT::Ticket') && $link->BaseObj->__Value('Type') eq 'reminder';
push @val, $link->$field;
}
push(@val, "") if (@val == 0 && defined $format && $format eq 'l');
diff --cc share/html/Ticket/Elements/ShowAttachments
index 8116db5,767c03e..eaf20f1
--- a/share/html/Ticket/Elements/ShowAttachments
+++ b/share/html/Ticket/Elements/ShowAttachments
@@@ -58,11 -58,7 +58,11 @@@
% foreach my $rev (@{$documents{$key}}) {
% if ($rev->ContentLength) {
<li><font size="-2">
+% if (my $url = RT->System->ExternalStorageURLFor($rev)) {
+<a href="<%$url%>">
+% } else {
- <a href="<%RT->Config->Get('WebPath')%>/Ticket/Attachment/<%$rev->TransactionId%>/<%$rev->Id%>/<%$rev->Filename | un %>">
+ <a href="<%RT->Config->Get('WebPath')%>/<% $DisplayPath %>/Attachment/<%$rev->TransactionId%>/<%$rev->Id%>/<%$rev->Filename | un %>">
+% }
% my $desc = loc("[_1] ([_2]) by [_3]", $rev->CreatedAsString, $rev->FriendlyContentLength, $m->scomp('/Elements/ShowUser', User => $rev->CreatorObj));
<% $desc |n%>
</a>
diff --cc share/html/m/ticket/show
index 08760cb,7daa26e..c800654
--- a/share/html/m/ticket/show
+++ b/share/html/m/ticket/show
@@@ -454,8 -448,7 +454,8 @@@ for my $link ( @{ $Ticket->DependsOn->I
<div class="value">
<ul>
% while (my $Link = $Ticket->ReferredToBy->Next) {
+% next if UNIVERSAL::isa($Link->BaseObj, 'RT::Article') && $Link->BaseObj->Disabled;
- % next if (UNIVERSAL::isa($Link->BaseObj, 'RT::Ticket') && $Link->BaseObj->Type eq 'reminder');
+ % next if (UNIVERSAL::isa($Link->BaseObj, 'RT::Ticket') && $Link->BaseObj->__Value('Type') eq 'reminder');
<li><& /Elements/ShowLink, URI => $Link->BaseURI &></li>
% }
</ul>
diff --cc share/static/css/base/misc.css
index 86a2708,4a92823..a4a1a00
--- a/share/static/css/base/misc.css
+++ b/share/static/css/base/misc.css
@@@ -76,10 -76,10 +76,14 @@@ textarea.messagebox, #cke_Content, #cke
box-sizing: border-box;
}
+div.cke {
+ border: 1px solid #b6b6b6;
+}
+
+ .selection-box {
+ min-width: 300px;
+ }
+
.datepicker {
width: 17em;
}
diff --cc t/web/csrf.t
index 124d5eb,3fea287..de3c441
--- a/t/web/csrf.t
+++ b/t/web/csrf.t
@@@ -32,8 -32,57 +32,57 @@@ $m->title_is('Create a new ticket in Ge
$m->add_header(Referer => undef);
$m->get_ok("$test_page&user=root&pass=password");
$m->content_lacks("Possible cross-site request forgery");
-$m->title_is('Create a new ticket');
+$m->title_is('Create a new ticket in General');
+ # CSRF parameter whitelist tests
+ my $searchBuildPath = '/Search/Build.html';
+
+ # CSRF whitelist for /Search/Build.html param SavedSearchLoad
+ $m->add_header(Referer => undef);
+ $m->get_ok("$searchBuildPath?SavedSearchLoad=foo");
+ $m->content_lacks('Possible cross-site request forgery');
+ $m->title_is('Query Builder');
+
+ # CSRF pass for /Search/Build.html no param
+ $m->add_header(Referer => undef);
+ $m->get_ok("$searchBuildPath");
+ $m->content_lacks('Possible cross-site request forgery');
+ $m->title_is('Query Builder');
+
+ # CSRF fail for /Search/Build.html arbitrary param only
+ $m->add_header(Referer => undef);
+ $m->get_ok("$searchBuildPath?foo=bar");
+ $m->content_contains('Possible cross-site request forgery');
+ $m->title_is('Possible cross-site request forgery');
+
+ # CSRF fail for /Search/Build.html arbitrary param with SavedSearchLoad
+ $m->add_header(Referer => undef);
+ $m->get_ok("$searchBuildPath?SavedSearchLoad=foo&foo=bar");
+ $m->content_contains('Possible cross-site request forgery');
+ $m->title_is('Possible cross-site request forgery');
+
+ # CSRF pass for /Search/Build.html param NewQuery
+ $m->add_header(Referer => undef);
+ $m->get_ok("$searchBuildPath?NewQuery=1");
+ $m->content_lacks('Possible cross-site request forgery');
+ $m->title_is('Query Builder');
+
+ # CSRF pass for /Ticket/Update.html items in ticket action menu
+ $m->add_header(Referer => undef);
+ $m->get_ok('/Ticket/Update.html?id=1&Action=foo');
+ $m->content_lacks('Possible cross-site request forgery');
+
+ # CSRF pass for /Ticket/Update.html reply to message in ticket history
+ $m->add_header(Referer => undef);
+ $m->get_ok('/Ticket/Update.html?id=1&QuoteTransaction=1&Action=Reply');
+ $m->content_lacks('Possible cross-site request forgery');
+
+ # CSRF pass for /Articles/Article/ExtractIntoClass.html
+ # Action->Extract Article on ticket menu
+ $m->add_header(Referer => undef);
+ $m->get_ok('/Articles/Article/ExtractIntoClass.html?Ticket=1');
+ $m->content_lacks('Possible cross-site request forgery');
+
# now send a referer from an attacker
$m->add_header(Referer => 'http://example.net');
$m->get_ok($test_page);
-----------------------------------------------------------------------
More information about the rt-commit
mailing list