[Rt-commit] rt branch, 4.4-trunk, updated. rt-4.4.2-64-gb027918
Alex Vandiver
alexmv at bestpractical.com
Tue Dec 26 02:08:26 EST 2017
The branch, 4.4-trunk has been updated
via b0279187e9194261fb692ef56bcfea569fa64230 (commit)
via 3e206d461db9b170b30b1f31964eed8691613b1b (commit)
via e510c8359a854bc88a95580292bf2b96e3fcd0c6 (commit)
via 7b81cbe83d49d40ae449614ab2f1c29987f2a0d9 (commit)
from cebf473d1fcfe07a62e23040b7828d516c1fa0aa (commit)
Summary of changes:
lib/RT/Interface/Web.pm | 15 +++--
lib/RT/Test/Web.pm | 10 +--
share/html/Dashboards/Modify.html | 9 ++-
share/html/Ticket/Attachment/WithHeaders/dhandler | 4 +-
share/html/Ticket/Attachment/dhandler | 8 +--
share/html/Ticket/Create.html | 6 +-
share/html/Ticket/Display.html | 12 ++--
t/externalauth/auth_config.t | 75 ++++++++++++-----------
t/security/CVE-2011-2084-attach-tickets.t | 4 +-
t/web/compilation_errors.t | 12 ++--
t/web/csrf.t | 2 +-
t/web/dashboards-basics.t | 10 ++-
t/web/path-traversal.t | 23 +++----
t/web/ticket_display.t | 3 +-
14 files changed, 108 insertions(+), 85 deletions(-)
- Log -----------------------------------------------------------------
commit 7b81cbe83d49d40ae449614ab2f1c29987f2a0d9
Author: Alex Vandiver <alex at chmrr.net>
Date: Tue Dec 26 01:34:29 2017 -0500
Don't fail externalauth/auth_config.t tests if Net::LDAP is missing
Doing the configuration at compile-time is complicated, and
additionally introduces an implicit dependency on Net::LDAP. Since
that dependency is technically optional, switch the configuration to
runtime, and introduce the same run-time dependency checking that is
used in other ExternalAuth tests.
diff --git a/t/externalauth/auth_config.t b/t/externalauth/auth_config.t
index dda38c6..e26709d 100644
--- a/t/externalauth/auth_config.t
+++ b/t/externalauth/auth_config.t
@@ -1,44 +1,47 @@
use strict;
use warnings;
-use RT;
-my $config;
-BEGIN{
- $config = <<'END';
-Set($ExternalSettings, {
- 'My_LDAP' => {
- 'type' => 'ldap',
- 'server' => 'ldap.example.com',
- # By not passing 'user' and 'pass' we are using an anonymous
- # bind, which some servers to not allow
- 'base' => 'ou=Staff,dc=example,dc=com',
- 'filter' => '(objectClass=inetOrgPerson)',
- # Users are allowed to log in via email address or account
- # name
- 'attr_match_list' => [
- 'Name',
- 'EmailAddress',
- ],
- # Import the following properties of the user from LDAP upon
- # login
- 'attr_map' => {
- 'Name' => 'sAMAccountName',
- 'EmailAddress' => 'mail',
- 'RealName' => 'cn',
- 'WorkPhone' => 'telephoneNumber',
- 'Address1' => 'streetAddress',
- 'City' => 'l',
- 'State' => 'st',
- 'Zip' => 'postalCode',
- 'Country' => 'co',
- },
+
+use RT::Test nodb => 1, tests => undef;
+use Test::Warn;
+
+# Having an LDAP in ExternalSettings implicitly loads Net::LDAP, so
+# only run these tests if that loads.
+eval { require RT::Authen::ExternalAuth; require Net::LDAP::Server::Test; 1; } or do {
+ plan skip_all => 'Unable to test without Net::LDAP and Net::LDAP::Server::Test';
+};
+
+RT::Config->Set( ExternalSettings => {
+ 'My_LDAP' => {
+ 'type' => 'ldap',
+ 'server' => 'ldap.example.com',
+ # By not passing 'user' and 'pass' we are using an anonymous
+ # bind, which some servers to not allow
+ 'base' => 'ou=Staff,dc=example,dc=com',
+ 'filter' => '(objectClass=inetOrgPerson)',
+ # Users are allowed to log in via email address or account
+ # name
+ 'attr_match_list' => [
+ 'Name',
+ 'EmailAddress',
+ ],
+ # Import the following properties of the user from LDAP upon
+ # login
+ 'attr_map' => {
+ 'Name' => 'sAMAccountName',
+ 'EmailAddress' => 'mail',
+ 'RealName' => 'cn',
+ 'WorkPhone' => 'telephoneNumber',
+ 'Address1' => 'streetAddress',
+ 'City' => 'l',
+ 'State' => 'st',
+ 'Zip' => 'postalCode',
+ 'Country' => 'co',
},
- } );
+ },
+} );
-END
-}
-use RT::Test nodb => 1, tests => undef, config => $config;
-use Test::Warn;
+warnings_are {RT::Config->PostLoadCheck} [], "No warnings loading config";
diag "Test ExternalAuth configuration processing";
my $auth_settings = RT::Config->Get('ExternalSettings');
commit e510c8359a854bc88a95580292bf2b96e3fcd0c6
Author: Robert <rspier at pobox.com>
Date: Sat Nov 4 22:47:03 2017 -0700
Set proper HTTP Status codes on Abort
Iniitally implemented because Google's crawler was complaining that "Ticket
not found" pages did not have a 404 status code.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 5d6b39e..aff0f48 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -72,6 +72,7 @@ use Digest::MD5 ();
use List::MoreUtils qw();
use JSON qw();
use Plack::Util;
+use HTTP::Status qw();
=head2 SquishedCSS $style
@@ -2038,6 +2039,10 @@ sub Abort {
my $why = shift;
my %args = @_;
+ $args{Code} //= HTTP::Status::HTTP_OK;
+
+ $r->headers_out->{'Status'} = $args{Code} . ' ' . HTTP::Status::status_message($args{Code});
+
if ( $session{'ErrorDocument'}
&& $session{'ErrorDocumentType'} )
{
@@ -2140,11 +2145,11 @@ sub CreateTicket {
my $Queue = RT::Queue->new( $current_user );
unless ( $Queue->Load( $ARGS{'Queue'} ) ) {
- Abort('Queue not found');
+ Abort('Queue not found', Code => HTTP::Status::HTTP_NOT_FOUND);
}
unless ( $Queue->CurrentUserHasRight('CreateTicket') ) {
- Abort('You have no permission to create tickets in that queue.');
+ Abort('You have no permission to create tickets in that queue.', Code => HTTP::Status::HTTP_FORBIDDEN);
}
my $due;
@@ -2257,7 +2262,7 @@ sub CreateTicket {
push( @Actions, split( "\n", $ErrMsg ) );
unless ( $Ticket->CurrentUserHasRight('ShowTicket') ) {
- Abort( "No permission to view newly created ticket #" . $Ticket->id . "." );
+ Abort( "No permission to view newly created ticket #" . $Ticket->id . ".", Code => HTTP::Status::HTTP_FORBIDDEN );
}
return ( $Ticket, @Actions );
@@ -2282,13 +2287,13 @@ sub LoadTicket {
}
unless ($id) {
- Abort("No ticket specified");
+ Abort("No ticket specified", Code => HTTP::Status::HTTP_BAD_REQUEST);
}
my $Ticket = RT::Ticket->new( $session{'CurrentUser'} );
$Ticket->Load($id);
unless ( $Ticket->id ) {
- Abort("Could not load ticket $id");
+ Abort("Could not load ticket $id", Code => HTTP::Status::HTTP_NOT_FOUND);
}
return $Ticket;
}
diff --git a/share/html/Dashboards/Modify.html b/share/html/Dashboards/Modify.html
index 09da8e0..1998926 100644
--- a/share/html/Dashboards/Modify.html
+++ b/share/html/Dashboards/Modify.html
@@ -92,7 +92,7 @@ my $Dashboard = RT::Dashboard->new($session{'CurrentUser'});
my $method = $Create ? 'ObjectsForCreating' : 'ObjectsForModifying';
my @privacies = $Dashboard->$method;
-Abort(loc("Permission Denied")) if @privacies == 0;
+Abort(loc("Permission Denied"), Code => HTTP::Status::HTTP_FORBIDDEN) if @privacies == 0;
if ($Create) {
$title = loc("Create a new dashboard");
@@ -149,10 +149,13 @@ if (!$Create && !$tried_create && $id && $ARGS{'Save'}) {
my $can_delete = $Dashboard->CurrentUserCanDelete;
if (!$Create && !$tried_create && $id && $ARGS{'Delete'}) {
+ if (!$can_delete) {
+ Abort(loc("Couldn't delete dashboard [_1]: Permission Denied", $id), Code => HTTP::Status::HTTP_FORBIDDEN);
+ }
my ($ok, $msg) = $Dashboard->Delete();
if (!$ok) {
- Abort(loc("Couldn't delete dashboard [_1]: [_2]", $id, $msg));
- }
+ Abort(loc("Couldn't delete dashboard [_1]: [_2]", $id, $msg), Code => HTTP::Status::HTTP_BAD_REQUEST);
+ }
push @results, $msg;
$redirect_to = '/Dashboards/index.html';
diff --git a/share/html/Ticket/Attachment/WithHeaders/dhandler b/share/html/Ticket/Attachment/WithHeaders/dhandler
index cbe0751..0092878 100644
--- a/share/html/Ticket/Attachment/WithHeaders/dhandler
+++ b/share/html/Ticket/Attachment/WithHeaders/dhandler
@@ -50,13 +50,13 @@
my ($id) = $m->dhandler_arg =~ /^(\d+)/;
unless ( $id ) {
# wrong url format
- Abort("Corrupted attachment URL");
+ Abort("Corrupted attachment URL", Code => HTTP::Status::HTTP_BAD_REQUEST);
}
my $AttachmentObj = RT::Attachment->new( $session{'CurrentUser'} );
$AttachmentObj->Load( $id );
unless ( $AttachmentObj->id ) {
- Abort("Couldn't load attachment #$id");
+ Abort("Couldn't load attachment #$id", Code => HTTP::Status::HTTP_NOT_FOUND);
}
my $content_type = 'text/plain';
diff --git a/share/html/Ticket/Attachment/dhandler b/share/html/Ticket/Attachment/dhandler
index afa471c..67e0281 100644
--- a/share/html/Ticket/Attachment/dhandler
+++ b/share/html/Ticket/Attachment/dhandler
@@ -53,16 +53,16 @@ if ( $arg =~ m{^(\d+)/(\d+)} ) {
$attach = $2;
}
else {
- Abort("Corrupted attachment URL.");
+ Abort("Corrupted attachment URL.", Code => HTTP::Status::HTTP_BAD_REQUEST);
}
my $AttachmentObj = RT::Attachment->new( $session{'CurrentUser'} );
-$AttachmentObj->Load($attach) || Abort("Attachment '$attach' could not be loaded");
+$AttachmentObj->Load($attach) || Abort("Attachment '$attach' could not be loaded", Code => HTTP::Status::HTTP_NOT_FOUND);
unless ( $AttachmentObj->id ) {
- Abort("Bad attachment id. Couldn't find attachment '$attach'\n");
+ Abort("Bad attachment id. Couldn't find attachment '$attach'\n", Code => HTTP::Status::HTTP_NOT_FOUND);
}
unless ( $AttachmentObj->TransactionId() == $trans ) {
- Abort("Bad transaction number for attachment. $trans should be". $AttachmentObj->TransactionId() . "\n");
+ Abort("Bad transaction number for attachment. $trans should be". $AttachmentObj->TransactionId() . "\n", Code => HTTP::Status::HTTP_NOT_FOUND);
}
my $content = $AttachmentObj->OriginalContent;
diff --git a/share/html/Ticket/Create.html b/share/html/Ticket/Create.html
index 26dc216..e1b347d 100644
--- a/share/html/Ticket/Create.html
+++ b/share/html/Ticket/Create.html
@@ -366,7 +366,7 @@ my $current_user = $session{'CurrentUser'};
if ($CloneTicket) {
my $CloneTicketObj = RT::Ticket->new( $session{CurrentUser} );
$CloneTicketObj->Load($CloneTicket)
- or Abort( loc("Ticket could not be loaded") );
+ or Abort( loc("Ticket could not be loaded"), Code => HTTP::Status::HTTP_BAD_REQUEST );
my $clone = {
Requestors => join( ',', $CloneTicketObj->RequestorAddresses ),
@@ -438,7 +438,7 @@ if ($CloneTicket) {
my @results;
my $QueueObj = RT::Queue->new($current_user);
-$QueueObj->Load($Queue) || Abort(loc("Queue [_1] could not be loaded.", $Queue||''));
+$QueueObj->Load($Queue) || Abort(loc("Queue [_1] could not be loaded.", $Queue||''), Code => HTTP::Status::HTTP_BAD_REQUEST);
my $title = loc("Create a new ticket in [_1]", $m->scomp("/Ticket/Elements/ShowQueue", QueueObj => $QueueObj));
@@ -446,7 +446,7 @@ $m->callback( QueueObj => $QueueObj, title => \$title, results => \@results, ARG
$m->scomp( '/Articles/Elements/SubjectOverride', ARGSRef => \%ARGS, QueueObj => $QueueObj, results => \@results );
-$QueueObj->Disabled && Abort(loc("Cannot create tickets in a disabled queue."));
+$QueueObj->Disabled && Abort(loc("Cannot create tickets in a disabled queue."), Code => HTTP::Status::HTTP_NOT_FOUND);
my $ticket = RT::Ticket->new($current_user); # empty ticket object
diff --git a/share/html/Ticket/Display.html b/share/html/Ticket/Display.html
index f992a1e..a6bfb85 100644
--- a/share/html/Ticket/Display.html
+++ b/share/html/Ticket/Display.html
@@ -133,7 +133,7 @@ my (@Actions, $title);
unless ($id || $TicketObj) {
- Abort('No ticket specified');
+ Abort('No ticket specified', Code => HTTP::Status::HTTP_BAD_REQUEST);
}
if ($ARGS{'id'} eq 'new') {
@@ -142,16 +142,16 @@ if ($ARGS{'id'} eq 'new') {
my $Queue = RT::Queue->new( $session{'CurrentUser'} );
$Queue->Load($ARGS{'Queue'});
unless ( $Queue->id ) {
- Abort('Queue not found');
+ Abort('Queue not found', Code => HTTP::Status::HTTP_NOT_FOUND);
}
unless ( $Queue->CurrentUserHasRight('CreateTicket') ) {
- Abort('You have no permission to create tickets in that queue.');
+ Abort('You have no permission to create tickets in that queue.', Code => HTTP::Status::HTTP_FORBIDDEN);
}
($TicketObj, @Actions) = CreateTicket( %ARGS );
unless ( $TicketObj->CurrentUserHasRight('ShowTicket') ) {
- Abort("No permission to view newly created ticket #".$TicketObj->id.".");
+ Abort("No permission to view newly created ticket #".$TicketObj->id.".", Code => HTTP::Status::HTTP_FORBIDDEN);
}
} else {
$TicketObj ||= LoadTicket($ARGS{'id'});
@@ -197,9 +197,9 @@ if ($ARGS{'id'} eq 'new') {
if ( !$SkipProcessing ) {
unless ($TicketObj->CurrentUserHasRight('ShowTicket')) {
if (@Actions) {
- Abort("A change was applied successfully, but you no longer have permissions to view the ticket", Actions => \@Actions);
+ Abort("A change was applied successfully, but you no longer have permissions to view the ticket", Actions => \@Actions, Code => HTTP::Status::HTTP_FORBIDDEN);
} else {
- Abort("No permission to view ticket");
+ Abort("No permission to view ticket", Code => HTTP::Status::HTTP_FORBIDDEN);
}
}
if ( $ARGS{'MarkAsSeen'} ) {
commit 3e206d461db9b170b30b1f31964eed8691613b1b
Author: Robert <rspier at pobox.com>
Date: Sun Dec 24 21:50:10 2017 -0800
Fix tests failing because they assume a 200 status response
diff --git a/lib/RT/Test/Web.pm b/lib/RT/Test/Web.pm
index 87070cd..f64890f 100644
--- a/lib/RT/Test/Web.pm
+++ b/lib/RT/Test/Web.pm
@@ -55,6 +55,7 @@ use base qw(Test::WWW::Mechanize);
use MIME::Base64 qw//;
use Encode 'encode_utf8';
use Storable 'thaw';
+use HTTP::Status qw();
BEGIN { require RT::Test; }
require Test::More;
@@ -126,7 +127,7 @@ sub logged_in_as {
my $self = shift;
my $user = shift || '';
- unless ( $self->status == 200 ) {
+ unless ( $self->status == HTTP::Status::HTTP_OK ) {
Test::More::diag( "error: status is ". $self->status );
return 0;
}
@@ -144,12 +145,12 @@ sub logout {
my $url = $self->rt_base_url;
$self->get($url);
Test::More::diag( "error: status is ". $self->status )
- unless $self->status == 200;
+ unless $self->status == HTTP::Status::HTTP_OK;
if ( $self->content =~ /Logout/i ) {
$self->follow_link( text => 'Logout' );
Test::More::diag( "error: status is ". $self->status ." when tried to logout" )
- unless $self->status == 200;
+ unless $self->status == HTTP::Status::HTTP_OK;
}
else {
return 1;
@@ -167,6 +168,7 @@ sub goto_ticket {
my $self = shift;
my $id = shift;
my $view = shift || 'Display';
+ my $status = shift || HTTP::Status::HTTP_OK;
unless ( $id && int $id ) {
Test::More::diag( "error: wrong id ". defined $id? $id : '(undef)' );
return 0;
@@ -175,7 +177,7 @@ sub goto_ticket {
my $url = $self->rt_base_url;
$url .= "Ticket/${ view }.html?id=$id";
$self->get($url);
- unless ( $self->status == 200 ) {
+ unless ( $self->status == $status ) {
Test::More::diag( "error: status is ". $self->status );
return 0;
}
diff --git a/t/security/CVE-2011-2084-attach-tickets.t b/t/security/CVE-2011-2084-attach-tickets.t
index 3d189cb..6b1366a 100644
--- a/t/security/CVE-2011-2084-attach-tickets.t
+++ b/t/security/CVE-2011-2084-attach-tickets.t
@@ -2,6 +2,7 @@ use strict;
use warnings;
use RT::Test tests => undef;
+use HTTP::Status qw();
my $user = RT::Test->load_or_create_user(
Name => 'user',
@@ -39,7 +40,8 @@ my $ticket_b = RT::Test->last_ticket;
my ($baseurl, $m) = RT::Test->started_ok;
ok $m->login( 'user', 'password' ), 'logged in as user';
-$m->get_ok("$baseurl/Ticket/Display.html?id=" . $ticket_b->id);
+$m->get("$baseurl/Ticket/Display.html?id=" . $ticket_b->id);
+is($m->status, HTTP::Status::HTTP_FORBIDDEN, 'No permission to view ticket.');
$m->content_contains('No permission');
$m->warning_like(qr/no permission/i, 'no permission warning');
diff --git a/t/web/compilation_errors.t b/t/web/compilation_errors.t
index e4845e0..9664709 100644
--- a/t/web/compilation_errors.t
+++ b/t/web/compilation_errors.t
@@ -2,12 +2,14 @@ use strict;
use warnings;
use Test::More;
use File::Find;
+use HTTP::Status qw();
+
BEGIN {
sub wanted {
-f && /\.html$/ && $_ !~ /Logout.html$/ && $File::Find::dir !~ /RichText/;
}
my $tests = 7;
- find( sub { wanted() and $tests += 4 }, 'share/html/' );
+ find( sub { wanted() and $tests += 3 }, 'share/html/' );
plan tests => $tests + 1; # plus one for warnings check
}
@@ -28,11 +30,11 @@ $agent->cookie_jar($cookie_jar);
my $url = $agent->rt_base_url;
$agent->get($url);
-is($agent->status, 200, "Loaded a page");
+is($agent->status, HTTP::Status::HTTP_OK, "Loaded a page");
# follow the link marked "Login"
$agent->login(root => 'password');
-is($agent->status, 200, "Fetched the page ok");
+is($agent->status, HTTP::Status::HTTP_OK, "Fetched the page ok");
$agent->content_contains('Logout', "Found a logout link");
@@ -48,8 +50,8 @@ sub test_get {
$file =~ s#^share/html/##;
diag( "testing $url/$file" );
- $agent->get_ok("$url/$file");
- is($agent->status, 200, "Loaded $file");
+ $agent->get("$url/$file");
+ isnt($agent->status, HTTP::Status::HTTP_INTERNAL_SERVER_ERROR, "Loaded $file");
$agent->content_lacks('Not logged in', "Still logged in for $file");
$agent->content_lacks('raw error', "Didn't get a Mason compilation error on $file") or do {
if (my ($error) = $agent->content =~ /<pre>(.*?line.*?)$/s) {
diff --git a/t/web/csrf.t b/t/web/csrf.t
index d693b55..bdd895d 100644
--- a/t/web/csrf.t
+++ b/t/web/csrf.t
@@ -147,7 +147,7 @@ $m->title_is('Possible cross-site request forgery');
# Create.html errors out.
my $link = $m->find_link(text_regex => qr{resume your request});
(my $broken_url = $link->url) =~ s/(CSRF_Token)=\w+/$1=crud/;
-$m->get_ok($broken_url);
+$m->get($broken_url);
$m->content_like(qr/Queue\s+could not be loaded/);
$m->title_is('RT Error');
$m->warning_like(qr/Queue\s+could not be loaded/);
diff --git a/t/web/dashboards-basics.t b/t/web/dashboards-basics.t
index f29e1d4..024439f 100644
--- a/t/web/dashboards-basics.t
+++ b/t/web/dashboards-basics.t
@@ -1,6 +1,7 @@
use strict;
use warnings;
+use HTTP::Status qw();
use RT::Test tests => 105;
my ($baseurl, $m) = RT::Test->started_ok;
@@ -40,7 +41,8 @@ $m->content_lacks('<a href="/Dashboards/Modify.html?Create=1">New</a>',
$m->no_warnings_ok;
-$m->get_ok($url."Dashboards/Modify.html?Create=1");
+$m->get($url."Dashboards/Modify.html?Create=1");
+is($m->status, HTTP::Status::HTTP_FORBIDDEN);
$m->content_contains("Permission Denied");
$m->content_lacks("Save Changes");
@@ -49,7 +51,8 @@ $m->warning_like(qr/Permission Denied/, "got a permission denied warning");
$user_obj->PrincipalObj->GrantRight(Right => 'ModifyOwnDashboard', Object => $RT::System);
# Modify itself is no longer good enough, you need Create
-$m->get_ok($url."Dashboards/Modify.html?Create=1");
+$m->get($url."Dashboards/Modify.html?Create=1");
+is($m->status, HTTP::Status::HTTP_FORBIDDEN);
$m->content_contains("Permission Denied");
$m->content_lacks("Save Changes");
@@ -150,7 +153,8 @@ $m->content_unlike( qr/Bookmarked Tickets.*Bookmarked Tickets/s,
'only dashboard queries show up' );
$m->content_contains("dashboard test", "ticket subject");
-$m->get_ok("/Dashboards/Modify.html?id=$id&Delete=1");
+$m->get("/Dashboards/Modify.html?id=$id&Delete=1");
+is($m->status, HTTP::Status::HTTP_FORBIDDEN);
$m->content_contains("Permission Denied", "unable to delete dashboard because we lack DeleteOwnDashboard");
$m->warning_like(qr/Couldn't delete dashboard.*Permission Denied/, "got a permission denied warning when trying to delete the dashboard");
diff --git a/t/web/path-traversal.t b/t/web/path-traversal.t
index 2a81d98..204ed40 100644
--- a/t/web/path-traversal.t
+++ b/t/web/path-traversal.t
@@ -1,49 +1,50 @@
use strict;
use warnings;
+use HTTP::Status qw();
use RT::Test tests => undef;
my ($baseurl, $agent) = RT::Test->started_ok;
ok($agent->login);
$agent->get("$baseurl/NoAuth/../Elements/HeaderJavascript");
-is($agent->status, 400);
+is($agent->status, HTTP::Status::HTTP_BAD_REQUEST);
$agent->warning_like(qr/Invalid request.*aborting/);
$agent->get("$baseurl/NoAuth/../%45lements/HeaderJavascript");
-is($agent->status, 400);
+is($agent->status, HTTP::Status::HTTP_BAD_REQUEST);
$agent->warning_like(qr/Invalid request.*aborting/);
$agent->get("$baseurl/NoAuth/%2E%2E/Elements/HeaderJavascript");
-is($agent->status, 400);
+is($agent->status, HTTP::Status::HTTP_BAD_REQUEST);
$agent->warning_like(qr/Invalid request.*aborting/);
$agent->get("$baseurl/NoAuth/../../../etc/RT_Config.pm");
-is($agent->status, 400);
+is($agent->status, HTTP::Status::HTTP_BAD_REQUEST);
$agent->warning_like(qr/Invalid request.*aborting/) unless $ENV{RT_TEST_WEB_HANDLER} =~ /^apache/;
$agent->get("$baseurl/static/css/web2/images/../../../../../../etc/RT_Config.pm");
-# Apache hardcodes a 400m but the static handler returns a 403 for traversal too high
-is($agent->status, $ENV{RT_TEST_WEB_HANDLER} =~ /^apache/ ? 400 : 403);
+# Apache hardcodes a 400 but the static handler returns a 403 for traversal too high
+is($agent->status, $ENV{RT_TEST_WEB_HANDLER} =~ /^apache/ ? HTTP::Status::HTTP_BAD_REQUEST : HTTP::Status::HTTP_FORBIDDEN);
# Do not reject a simple /. in the URL, for downloading uploaded
# dotfiles, for example.
$agent->get("$baseurl/Ticket/Attachment/28/9/.bashrc");
-is($agent->status, 200); # Even for a file not found, we return 200
+is($agent->status, HTTP::Status::HTTP_NOT_FOUND);
$agent->next_warning_like(qr/could not be loaded/, "couldn't loaded warning");
$agent->content_like(qr/Attachment \S+ could not be loaded/);
# do not reject these URLs, even though they contain /. outside the path
$agent->get("$baseurl/index.html?ignored=%2F%2E");
-is($agent->status, 200);
+is($agent->status, HTTP::Status::HTTP_OK);
$agent->get("$baseurl/index.html?ignored=/.");
-is($agent->status, 200);
+is($agent->status, HTTP::Status::HTTP_OK);
$agent->get("$baseurl/index.html#%2F%2E");
-is($agent->status, 200);
+is($agent->status, HTTP::Status::HTTP_OK);
$agent->get("$baseurl/index.html#/.");
-is($agent->status, 200);
+is($agent->status, HTTP::Status::HTTP_OK);
done_testing;
diff --git a/t/web/ticket_display.t b/t/web/ticket_display.t
index 33336d7..7183b5e 100644
--- a/t/web/ticket_display.t
+++ b/t/web/ticket_display.t
@@ -44,7 +44,8 @@ diag "test ShowTicket right";
'got no permission warning' );
- $m->goto_ticket($id);
+ $m->goto_ticket($id, undef, HTTP::Status::HTTP_FORBIDDEN);
+ is($m->status, HTTP::Status::HTTP_FORBIDDEN, 'No permission');
$m->content_contains( "No permission to view ticket",
'got no permission msg' );
$m->warning_like( qr/No permission to view ticket/, 'got warning' );
commit b0279187e9194261fb692ef56bcfea569fa64230
Merge: cebf473 3e206d4
Author: Alex Vandiver <alex at chmrr.net>
Date: Tue Dec 26 01:48:32 2017 -0500
Merge branch '4.4/http-status-code' into 4.4-trunk
Closes GH-236, by merging with slight fixups.
-----------------------------------------------------------------------
More information about the rt-commit
mailing list