[Rt-commit] rt branch 4.4.7-releng updated. rt-4.4.7beta1-11-g33e9203bf2
BPS Git Server
git at git.bestpractical.com
Thu Oct 19 14:53:47 UTC 2023
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 4.4.7-releng has been updated
via 33e9203bf2a61e20f8b8e682d57f55cb7a995967 (commit)
via 42124d39ac34d170b7f73b1d8c52031f061f75a8 (commit)
via 308173600817b7f7b2a7e70f22bfe2f175375ad9 (commit)
via 35548e3ee85dba8a590d8113ac40703dcf90a281 (commit)
via ce9112420d12b889f2e44684b3da4cdc541a59fe (commit)
via 335fc5ae0a1e7d4617afde7c33adc1f65d626699 (commit)
via abbdf539ace291ae0b09935dc84ef390aa9aef6a (commit)
via 5b69c05f5a9a7d3e38a7e5269d911e04096517dd (commit)
via 46cef1925d49c9140ec738d4a068fc470b0de290 (commit)
via afb7dcded721e27028e47b62e7e5ed8ffc492beb (commit)
via a7a83dfdf591cd4d9f547048e89a5a310eeef32d (commit)
from 2c63541437c5670667070352ab548aea5f38351f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 33e9203bf2a61e20f8b8e682d57f55cb7a995967
Merge: 2c63541437 42124d39ac
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Oct 19 10:38:58 2023 -0400
Merge branch 'security/4.4.7-releng' into 4.4.7-releng
commit 42124d39ac34d170b7f73b1d8c52031f061f75a8
Author: sunnavy <sunnavy at bestpractical.com>
Date: Tue Oct 17 16:30:03 2023 -0400
Fix typo
diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod
index 3177d2abfd..e7bf788f12 100644
--- a/docs/web_deployment.pod
+++ b/docs/web_deployment.pod
@@ -186,7 +186,7 @@ If you run C<bin/rt-mailgate> on a separate server, you can update
the above to allow additional IP addresses.
<Location /REST/1.0/NoAuth/mail-gateway>
- Require ip 127.0.0.1 ::1 192.0.2.0 # Add you actual IPs
+ Require ip 127.0.0.1 ::1 192.0.2.0 # Add your actual IPs
</Location>
See the L<Apache documentation|https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html>
commit 308173600817b7f7b2a7e70f22bfe2f175375ad9
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Oct 12 16:43:33 2023 -0400
Enable devel mode for mailgate tests that depend on detailed output
Now we only show detailed output on devel mode, see also ef958dadf4.
diff --git a/t/mail/gateway.t b/t/mail/gateway.t
index c51daa9092..8f9e941c40 100644
--- a/t/mail/gateway.t
+++ b/t/mail/gateway.t
@@ -2,7 +2,7 @@ use strict;
use warnings;
-use RT::Test config => 'Set( @MailPlugins, "Action::Take", "Action::Resolve");', tests => undef, actual_server => 1;
+use RT::Test config => 'Set( @MailPlugins, "Action::Take", "Action::Resolve"); Set($DevelMode, 1);', tests => undef, actual_server => 1;
my ($baseurl, $m) = RT::Test->started_ok;
use RT::Tickets;
diff --git a/t/mail/han-encodings.t b/t/mail/han-encodings.t
index ba1acc0cd4..d2dc523802 100644
--- a/t/mail/han-encodings.t
+++ b/t/mail/han-encodings.t
@@ -1,7 +1,7 @@
use strict;
use warnings;
-use RT::Test tests => undef, actual_server => 1;
+use RT::Test tests => undef, config => 'Set($DevelMode, 1);', actual_server => 1;
# we can't simply call Encode::HanExtra->require here because we are testing
# if Encode::HanExtra could be automatically loaded.
diff --git a/t/ticket/interface.t b/t/ticket/interface.t
index fd3ee581bb..71013d1697 100644
--- a/t/ticket/interface.t
+++ b/t/ticket/interface.t
@@ -1,7 +1,7 @@
use strict;
use warnings;
-use RT::Test tests => undef, actual_server => 1;
+use RT::Test tests => undef, config => 'Set($DevelMode, 1);', actual_server => 1;
my ( $baseurl, $m ) = RT::Test->started_ok;
commit 35548e3ee85dba8a590d8113ac40703dcf90a281
Author: sunnavy <sunnavy at bestpractical.com>
Date: Mon Sep 25 16:55:33 2023 -0400
Update tests as RT-Send-Cc is cleared now
diff --git a/t/mail/sendmail-plaintext.t b/t/mail/sendmail-plaintext.t
index b9eb719516..141039244c 100644
--- a/t/mail/sendmail-plaintext.t
+++ b/t/mail/sendmail-plaintext.t
@@ -132,7 +132,7 @@ for my $encoding ('ISO-8859-1', 'UTF-8') {
{
my ($ticket) = mail_in_ticket('rt-send-cc');
my $cc = first_attach($ticket)->GetHeader('RT-Send-Cc');
- like ($cc, qr/test$_/, "Found test $_") for 1..5;
+ ok (!$cc, "No RT-Send-Cc"); # RT-Send-Cc is supposed to be cleared
}
{
diff --git a/t/mail/sendmail.t b/t/mail/sendmail.t
index 4ef320611b..d6ead4d802 100644
--- a/t/mail/sendmail.t
+++ b/t/mail/sendmail.t
@@ -157,7 +157,7 @@ for my $encoding ('ISO-8859-1', 'UTF-8') {
{
my ($ticket) = mail_in_ticket('rt-send-cc');
my $cc = first_attach($ticket)->GetHeader('RT-Send-Cc');
- like ($cc, qr/test$_/, "Found test $_") for 1..5;
+ ok (!$cc, "No RT-Send-Cc"); # RT-Send-Cc is supposed to be cleared
}
{
commit ce9112420d12b889f2e44684b3da4cdc541a59fe
Merge: abbdf539ac 335fc5ae0a
Author: sunnavy <sunnavy at bestpractical.com>
Date: Mon Sep 25 15:22:50 2023 -0400
Merge branch 'security/4.4/suppress-mailgate-REST-responses' into security/4.4.7-releng
commit 335fc5ae0a1e7d4617afde7c33adc1f65d626699
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Fri Aug 25 13:32:08 2023 -0400
Return mail processing details only in DevelMode
Don't return any system details in responses to POSTs
when not in DevelMode to avoid disclosing any information.
diff --git a/share/html/REST/1.0/NoAuth/mail-gateway b/share/html/REST/1.0/NoAuth/mail-gateway
index 9adad505d4..95ffe17137 100644
--- a/share/html/REST/1.0/NoAuth/mail-gateway
+++ b/share/html/REST/1.0/NoAuth/mail-gateway
@@ -59,9 +59,18 @@ use RT::Interface::Email;
$r->content_type('text/plain; charset=utf-8');
$m->error_format('text');
my ( $status, $error, $Ticket ) = RT::Interface::Email::Gateway( \%ARGS );
+
+# Obscure the message to avoid any information disclosure unless
+# in DevelMode.
+my $log_error;
+unless ( RT->Config->Get('DevelMode') ) {
+ $log_error = $error;
+ $error = 'operation unsuccessful';
+}
+
if ( $status == 1 ) {
$m->out("ok\n");
- if ( $Ticket && $Ticket->Id ) {
+ if ( $Ticket && $Ticket->Id && RT->Config->Get('DevelMode') ) {
$m->out( 'Ticket: ' . ($Ticket->Id || '') . "\n" );
$m->out( 'Queue: ' . ($Ticket->QueueObj->Name || '') . "\n" );
$m->out( 'Owner: ' . ($Ticket->OwnerObj->Name || '') . "\n" );
@@ -73,9 +82,11 @@ if ( $status == 1 ) {
}
else {
if ( $status == -75 ) {
+ RT->Logger->error("mail-gateway returned status -75: $log_error") if $log_error;
$m->out( "temporary failure - $error\n" );
}
else {
+ RT->Logger->error("mail-gateway error: $log_error") if $log_error;
$m->out( "not ok - $error\n" );
}
}
commit abbdf539ace291ae0b09935dc84ef390aa9aef6a
Merge: 5b69c05f5a 46cef1925d
Author: sunnavy <sunnavy at bestpractical.com>
Date: Mon Sep 25 15:13:41 2023 -0400
Merge branch 'security/4.4/document-mailgate-apache-config' into security/4.4.7-releng
commit 5b69c05f5a9a7d3e38a7e5269d911e04096517dd
Merge: 2c63541437 afb7dcded7
Author: sunnavy <sunnavy at bestpractical.com>
Date: Mon Sep 25 15:13:32 2023 -0400
Merge branch 'security/4.4/sanitize-sensitive-headers' into security/4.4.7-releng
commit 46cef1925d49c9140ec738d4a068fc470b0de290
Author: Jim Brandt <jbrandt at bestpractical.com>
Date: Fri Aug 25 13:57:24 2023 -0400
Document restricting access to REST 1.0 mail-gateway
diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod
index d4d6a43122..3177d2abfd 100644
--- a/docs/web_deployment.pod
+++ b/docs/web_deployment.pod
@@ -171,6 +171,30 @@ B<WARNING: mod_perl 1.99_xx is not supported.>
To run RT using mod_perl 1.xx please see L<Plack::Handler::Apache1> for
configuration examples.
+=head3 Restricting the REST 1.0 mail-gateway
+
+RT processes email via a REST 1.0 endpoint. If you accept email on the same
+server as your running RT, you can restrict this endpoint to localhost only
+with a configuration like the following:
+
+ # Accept requests only from localhost
+ <Location /REST/1.0/NoAuth/mail-gateway>
+ Require local
+ </Location>
+
+If you run C<bin/rt-mailgate> on a separate server, you can update
+the above to allow additional IP addresses.
+
+ <Location /REST/1.0/NoAuth/mail-gateway>
+ Require ip 127.0.0.1 ::1 192.0.2.0 # Add you actual IPs
+ </Location>
+
+See the L<Apache documentation|https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html>
+for additional configuration options.
+
+After adding this configuration, test receiving email and confirm
+your C<bin/rt-mailgate> utility and C</etc/aliases> configurations
+can successfully submit email to RT.
=head2 nginx
commit afb7dcded721e27028e47b62e7e5ed8ffc492beb
Author: sunnavy <sunnavy at bestpractical.com>
Date: Tue Sep 12 16:21:26 2023 -0400
Sanitize non-crypt headers used in RT internally from incoming email
diff --git a/lib/RT/Interface/Email.pm b/lib/RT/Interface/Email.pm
index 0cd2d1cd2d..dfe0c8f4c4 100644
--- a/lib/RT/Interface/Email.pm
+++ b/lib/RT/Interface/Email.pm
@@ -159,6 +159,10 @@ sub Gateway {
);
}
+ # Clean up sensitive headers. Crypt related headers are cleaned up in RT::Interface::Email::Crypt::VerifyDecrypt
+ my @headers = qw( RT-Attach RT-Send-Cc RT-Send-Bcc RT-Message-ID RT-DetectedAutoGenerated RT-Squelch-Replies-To );
+ $Message->head->delete($_) for @headers;
+
#Set up a queue object
my $SystemQueueObj = RT::Queue->new( RT->SystemUser );
$SystemQueueObj->Load( $args{'queue'} );
commit a7a83dfdf591cd4d9f547048e89a5a310eeef32d
Author: Dianne Skoll <dianne at bestpractical.com>
Date: Wed Nov 4 08:45:44 2020 -0500
Clear all RT crypt headers from incoming email before processing
The old code did not delete the X-RT-SMIME-Status or X-RT-GnuPG-Status
headers by accident because of missing parens.
diff --git a/lib/RT/Interface/Email/Crypt.pm b/lib/RT/Interface/Email/Crypt.pm
index bc3427ca49..9d4d4fe584 100644
--- a/lib/RT/Interface/Email/Crypt.pm
+++ b/lib/RT/Interface/Email/Crypt.pm
@@ -73,13 +73,14 @@ sub VerifyDecrypt {
);
# we clean all possible headers
- my @headers =
+ my @headers = (
qw(
X-RT-Incoming-Encryption
X-RT-Incoming-Signature X-RT-Privacy
X-RT-Sign X-RT-Encrypt
),
- map "X-RT-$_-Status", RT::Crypt->Protocols;
+ map "X-RT-$_-Status", RT::Crypt->Protocols
+ );
foreach my $p ( $args{'Message'}->parts_DFS ) {
$p->head->delete($_) for @headers;
}
-----------------------------------------------------------------------
Summary of changes:
docs/web_deployment.pod | 24 ++++++++++++++++++++++++
lib/RT/Interface/Email.pm | 4 ++++
lib/RT/Interface/Email/Crypt.pm | 5 +++--
share/html/REST/1.0/NoAuth/mail-gateway | 13 ++++++++++++-
t/mail/gateway.t | 2 +-
t/mail/han-encodings.t | 2 +-
t/mail/sendmail-plaintext.t | 2 +-
t/mail/sendmail.t | 2 +-
t/ticket/interface.t | 2 +-
9 files changed, 48 insertions(+), 8 deletions(-)
hooks/post-receive
--
rt
More information about the rt-commit
mailing list