[Rt-commit] rt branch, 4.4/improve-create-custom-field-message, created. rt-4.4.2-91-g0ba29740c

Maureen Mirville maureen at bestpractical.com
Mon Mar 5 13:54:42 EST 2018 

The branch, 4.4/improve-create-custom-field-message has been created
        at  0ba29740c655bd2963436ccf1e06d468d56fbf9b (commit)

- Log -----------------------------------------------------------------
commit 3d05aaa14ed979bb64836e5c01776b9d0239b230
Author: Aaron Kondziela <aaron at bestpractical.com>
Date:   Tue Jan 24 18:20:28 2017 -0500

    Fix timing sidechannel vulnerability in password checking
    
    "eq" operators for comparing against passwords are replaced by a new
    RT::Util::constant_time_eq to resolve a timing sidechannel vulnerability.
    
    This addresses CVE-2017-5361.
    
    Fixes: T#161960

diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index 7b89d2166..8cf787caf 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -1122,7 +1122,7 @@ sub IsPassword {
         my $salt = substr($hash, 0, 4, "");
         return 0 unless RT::Util::constant_time_eq(
             substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26),
-            $hash, 1
+            $hash
         );
     } elsif (length $stored == 32) {
         # Hex nonsalted-md5
diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm
index f3cce3797..06bf8c359 100644
--- a/lib/RT/Util.pm
+++ b/lib/RT/Util.pm
@@ -56,6 +56,8 @@ our @EXPORT = qw/safe_run_child mime_recommended_filename EntityLooksLikeEmailMe
 
 use Encode qw/encode/;
 
+use Encode qw/encode/;
+
 sub safe_run_child (&) {
     my $our_pid = $$;
 
@@ -166,9 +168,6 @@ The two string arguments B<MUST> be of equal length. If the lengths differ,
 this function will call C<die()>, as proceeding with execution would create
 a timing vulnerability. Length is defined by characters, not bytes.
 
-Strings that should be treated as binary octets rather than Unicode text
-should pass a true value for the binary flag.
-
 This code has been tested to do what it claims. Do not change it without
 thorough statistical timing analysis to validate the changes.
 
@@ -180,7 +179,7 @@ B<https://en.wikipedia.org/wiki/Timing_attack>
 =cut
 
 sub constant_time_eq {
-    my ($a, $b, $binary) = @_;
+    my ($a, $b) = @_;
 
     my $result = 0;
 
@@ -194,18 +193,9 @@ sub constant_time_eq {
         my $a_char = substr($a, $i, 1);
         my $b_char = substr($b, $i, 1);
 
-        my (@a_octets, @b_octets);
-
-        if ($binary) {
-            @a_octets = ord($a_char);
-            @b_octets = ord($b_char);
-        }
-        else {
-            # encode() is set to die on malformed
-            @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
-            @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
-        }
-
+        # encode() is set to die on malformed
+        my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
+        my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
         die $generic_error if (scalar @a_octets) != (scalar @b_octets);
 
         for (my $j = 0; $j < scalar @a_octets; $j++) {
@@ -215,30 +205,6 @@ sub constant_time_eq {
     return 0 + not $result;
 }
 
-=head2 EntityLooksLikeEmailMessage( MIME::Entity )
-
-Check MIME type headers for entities that look like email.
-
-=cut
-
-sub EntityLooksLikeEmailMessage {
-    my $entity = shift;
-
-    return unless $entity;
-
-    # Use mime_type instead of effective_type to get the same headers
-    # MIME::Parser used.
-    my $mime_type = $entity->mime_type();
-
-    # This is the same list of MIME types MIME::Parser uses. The partial and
-    # external-body types are unlikely to produce usable attachments, but they
-    # are still recognized as email for the purposes of this function.
-
-    my @email_types = ('message/rfc822', 'message/partial', 'message/external-body');
-
-    return 1 if grep { $mime_type eq $_ } @email_types;
-    return 0;
-}
 
 RT::Base->_ImportOverlays();
 

commit d5a9ef717e1bad842c19cec216da932ad9c5f126
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Tue Jun 27 08:37:17 2017 -0400

    Add tests to show incorrect unset cf setting

diff --git a/t/web/ticket_display_unset_fields.t b/t/web/ticket_display_unset_fields.t
index b047edc84..89044e2e5 100644
--- a/t/web/ticket_display_unset_fields.t
+++ b/t/web/ticket_display_unset_fields.t
@@ -117,4 +117,5 @@ diag "Test unset custom fields";
     isnt $dom->find(qq{tr.customfield.unset-field})->size, 1, "no unset custom fields";
 }
 
+undef $m;
 done_testing;

commit 2d93d82bf95f90b07e88a45c8c217259d62e3aef
Author: Felix Brilej <mond.beton at googlemail.com>
Date:   Mon Jun 12 14:52:23 2017 +0200

    Improve user interaction for too-large attachments
    
    The Dropzone Function expects MiB, not bytes, therefore the previous
    "10000" would result in an upload limit of 10GB. Setting the limit to
    what's in $MaxAttachmentSize actually gives the user a feedback that
    their attachment size is too big.

diff --git a/share/html/Ticket/Elements/AddAttachments b/share/html/Ticket/Elements/AddAttachments
index 1f968aabf..992eaa08b 100644
--- a/share/html/Ticket/Elements/AddAttachments
+++ b/share/html/Ticket/Elements/AddAttachments
@@ -72,7 +72,6 @@ jQuery( function() {
         paramName: "Attach",
         dictDefaultMessage: <% loc("Drop files here or click to attach") |n,j %>,
         maxFilesize: MaxAttachmentSizeMiB,
-        parallelUploads: 1,
         previewTemplate: '' +
             '<div class="dz-preview dz-file-preview">' +
             '    <div class="dz-remove-mark pointer-events" data-dz-remove>' +

commit bb5a3314e2ca597581ab1962f34a26d79aeba6fd
Author: Jim Brandt <jbrandt at bestpractical.com>
Date:   Fri Jul 28 13:39:21 2017 -0400

    Add an option to treat attached email messages as normal file attachments
    
    Fixes: I#32833

diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm
index 06bf8c359..2be9afd05 100644
--- a/lib/RT/Util.pm
+++ b/lib/RT/Util.pm
@@ -56,8 +56,6 @@ our @EXPORT = qw/safe_run_child mime_recommended_filename EntityLooksLikeEmailMe
 
 use Encode qw/encode/;
 
-use Encode qw/encode/;
-
 sub safe_run_child (&) {
     my $our_pid = $$;
 
@@ -205,6 +203,30 @@ sub constant_time_eq {
     return 0 + not $result;
 }
 
+=head2 EntityLooksLikeEmailMessage( MIME::Entity )
+
+Check MIME type headers for entities that look like email.
+
+=cut
+
+sub EntityLooksLikeEmailMessage {
+    my $entity = shift;
+
+    return unless $entity;
+
+    # Use mime_type instead of effective_type to get the same headers
+    # MIME::Parser used.
+    my $mime_type = $entity->mime_type();
+
+    # This is the same list of MIME types MIME::Parser uses. The partial and
+    # external-body types are unlikely to produce usable attachments, but they
+    # are still recognized as email for the purposes of this function.
+
+    my @email_types = ('message/rfc822', 'message/partial', 'message/external-body');
+
+    return 1 if grep { $mime_type eq $_ } @email_types;
+    return 0;
+}
 
 RT::Base->_ImportOverlays();
 

commit 0ba29740c655bd2963436ccf1e06d468d56fbf9b
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date:   Wed Aug 30 10:09:27 2017 -0400

    Improve message for adding/deleting a new custom field value
    
    When user is creating a custom field and adding values as options,
    or deleting existing values, previous message after adding a value,
    "Object created", and after deleting a value, "Object deleted", was
    unclear. Message updated to make it clear user added or deleted a
    specific custom field value.
    
    Fixes: I#32695

diff --git a/share/html/Admin/CustomFields/Modify.html b/share/html/Admin/CustomFields/Modify.html
index 80cb05d08..2b9a28cfd 100644
--- a/share/html/Admin/CustomFields/Modify.html
+++ b/share/html/Admin/CustomFields/Modify.html
@@ -341,6 +341,8 @@ if ( $ARGS{'Update'} && $id ne 'new' ) {
     foreach my $key ( keys %ARGS ) {
         next unless $key =~ /^Delete-$paramtag-(\d+)$/;
         my ($val, $msg) = $CustomFieldObj->DeleteValue( $1 );
+        my $cf_delete = $ARGS{ $paramtag . "-$1-Name" };
+        $msg = loc("Custom field value [_1] deleted", $cf_delete) if $val;
         push (@results, $msg);
     }
 
@@ -369,6 +371,8 @@ if ( $ARGS{'Update'} && $id ne 'new' ) {
                 $ARGS{$paramtag."-new-$_"} =~ s/\s+$//;
                 $_ => $ARGS{ $paramtag ."-new-$_" } } grep { defined $ARGS{ $paramtag ."-new-$_" } } qw/ Name Description SortOrder Category/
         );
+        my $cf_add = $ARGS{ $paramtag.'-new-Name' };
+        $msg = loc("Custom field value [_1] added", $cf_add) if $id;
         push (@results, $msg);
         $added_cfv = 1 if $id;
 
diff --git a/t/web/cf_select_one.t b/t/web/cf_select_one.t
index 7fa13a22b..db3e0dc4a 100644
--- a/t/web/cf_select_one.t
+++ b/t/web/cf_select_one.t
@@ -36,7 +36,7 @@ diag "add 'qwe', 'ASD', '0' and ' foo ' as values to the CF";
             },
             button => 'Update',
         );
-        $m->content_contains('Object created', 'added a value to the CF' ); # or diag $m->content;
+        $m->content_contains('custom field value added', 'added a value to the CF' ); # or diag $m->content;
         my $v = $value;
         $v =~ s/^\s+$//;
         $v =~ s/\s+$//;

-----------------------------------------------------------------------

More information about the rt-commit mailing list