rt-5.0.6
RT 5.0.6 -- 2024-05-06
RT 5.0.6 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, there is one new configuration option
that provides new strict browser caching. See below for details.
https://download.bestpractical.com/pub/rt/release/rt-5.0.6.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.6.tar.gz.asc
SHA-256 sums
b556bedd2b4a356ec9f54eb673ff250ae9100347a04d11e34637e3fdd3efdddb rt-5.0.6.tar.gz
783d633f62efaff18fc352c6ccbfa2f9f58408eb22e820885e1ed517a2ba8978 rt-5.0.6.tar.gz.asc
Strict Browser Cache Configuration Option
CVE-2024-3262 describes previously viewed pages being stored in the
browser cache, which is the typical default behavior of most browsers to
enable the "back" button. Someone who gains access to a host computer could
potentially view ticket data using the back button, even after logging out
of RT. The CVE specifically references RT version 4.4.1, but this behavior
is present in most browsers viewing all versions of RT before 5.0.6.
RT 5.0.6 adds a new configuration option, $WebStrictBrowserCache, which
instructs the browser not to cache page content from RT. If you run RT,
including RTIR, with highly sensitive ticket data, you can enable this new
option to prevent browser caching. The default is still disabled, to
allow for normal browser functionality, so you need to enable this option
to run with the new feature.
General user features
- Support to hide empty custom roles on ticket display page
- Support to explicitly bind Business Hours for CustomDateRanges
- Distinguish business hours by adding related css classes in search chart table
- Process ticket owner updates before message updates
- Prevent double-clicking from submitting forms multiple times
- Open results from chart table in new tab
- Create UI for adjusting dashboard column width
- Load owner dropdown via AJAX for inline edit on list to speed up page load
- Multiple updates to provide autocomplete for asset links and to
improve other linking autocomplete (based on code from gibus, thanks!) - Set filename of attachments when it's absent for Outlook
- Escape one-time checkbox name in case it contains special regex characters
- Provide initial support for charts with transaction searches
- Fix Create Linked Ticket modal on Self Service Asset page
- Move asset widget to right column on self service ticket
- Support inline edit for assets
- On search filter, use a wider modal for Created column just like LastUpdated
- Support URL shortener for links in search pagination
- Add initial support for charts with assets
- Add search filter support to assets
- On charts, increase "Group By" rows to 5 to group by 2 more fields
- Fix ticket/attachment links on SelfService transaction display page
- Remove the empty option from multiple-value select custom fields
- Load the first catalog current user can create assets in on asset create page
- Submit form when catalog changes on asset simple search page
- Improve styling for self service article search
- Make header in search result TSV more consistent with the one in web UI
- Do not use Inter font for monospace so pre tags render correctly in ticket history
- Fix "Update" operation for article saved searches
- Add option to find disabled articles in search
- Support to sort/limit axis labels in search charts
- On SMIME decrypt, try next address if current certificate does not match
- Automatically hide inline edit links/buttons if there are no fields to edit
- Allow one-time email addresses to wrap, preventing overlap with long addresses
- Hide inline edit by default for asset "Dates" that lacks grouped custom fields
- Sync checkboxes before deciding to check/uncheck TxnSendMailToAll
Documentation
- Document restricting access to REST 1.0 mail-gateway
- Update POD with Region example
- Document WebSecureCookies in README
- Fix spelling in documentation (thanks Andrew!)
- Add date search documentation
- Update the outdated config name $InlineDashboardCSS in docs
- Fix internal pod links in docs
- Switch the README to Markdown and improve layout on GitHub
- Increase client_max_body_size to 100M in Nginx config example
- Correct POD headers for CustomField methods (thanks nreiling!)
- Dashboards are now in the Reports menu, not Home
- Remove unresolved link to the configure script
- Link AutoAddWatchers to metacpan and not RT docs
Administration
- Avoid creating duplicated custom fields from initialdata
- Clear all RT crypt headers from incoming email before processing
- Add region to Amazon::S3 params
- Load RT size only on demand to speed up configuration page load
- Support custom labels for ValidateCustomFields
- Hide search and bulk update links on My Assets in self service
- Set id as the PRIMARY KEY of AttachmentsIndex for Pg
- Fix Enable checkbox behavior on Scrip Creation
- Add $WebStrictBrowserCache option to disable browser cache
- Add option to set number of rows in dashboard subscriptions
- Fix shredder boolean argument inputs
- Add StatementLog support for REST2
- Rewrite dashboard emailer to use the CLI interface
- Clean up lifecycles on save when possible
- Trim any leading and trailing spaces from name on lifecycle create
- Support to delete lifecycles
- Show lifecycle warnings to admins who are accessing lifecycle pages
- Support to update maps of a lifecycle via JSON on Advanced page
- In Lifecycle admin, add links to help map statuses that have the same name
- Add mysql5/MariaDB db types to install old DBD::mysql version
- Don't add Unlimited automatically in Rows per page
- Make rt-setup-fulltext-index generally work on Oracle 23c
- Document the workaround of the grant error of CTXSYS.CTX_DDL on Oracle 23c
Internals
- Limit query to active/inactive tickets in QueueList based on passed in @Statuses
- Test business hour css classes in search chart table
- Update failed tests as now we skip duplicated custom fields from initialdata
- Sanitize non-crypt headers used in RT internally from incoming email
- Return mail processing details only in DevelMode
- Update tests as RT-Send-Cc is cleared now
- Support QuickCreate to pass arguments to redirect URL after ticket creation
- Add AfterUpdate callback to group member admin
- Add CF validation to multiple non-ticket admin pages
- Enable devel mode for mailgate tests that depend on detailed output
- Allow callback to add user css class (thanks elacour!)
- Add callbacks to modify custom field updates
- Set next_page and prev_page in REST 2 without leaking any info
- Set to the last page in REST 2 if the given page exceeds it
- Exclude EmailRecord txns if current user can not see them
- Tweak rights check for transactions of a single ticket
- Cache ticket rights for atomic changes
- Pass Graph Type to EditSearches
- Remove id from search save args
- Skip search menu process for ticket graph searches
- Avoid duplicates of TicketType/ObjectType criteria for txn searches
- Make sure both prefix and suffix of spaces are removed from parsed searches
- Test alternative syntaxes for whole day searches
- Refactor chart code to avoid hard coded class and group by
- Refactor report code mainly to move more general part to one level up
- Support to calculate TimeTaken in transaction search charts
- Use base64 encoding for content larger than 100KB
- Use role Name/GroupType in case corresponding role groups do not exist yet
- Take care of SelfService when building asset action menu for "Assets" widget
- Switch to "Create Linked Ticket" modal in "Assets" widget on ticket display page
- Internal support to search/sort cf values numerically
- Support to calculate numeric custom fields in search charts
- Limit lookup type for custom roles in reports
- Update to newest test docker image
- Abstract procedures to get queue-specific custom fields and roles
- Fix typo: selectpicker is not for text inputs
- Make sure inline edit is disabled for unprivileged users
- Move /Elements/SearchFilter to /Search/Elements/FilterTickets
- Convert other Mason templates to new headers template
- Remove the duplicate id definition in the input
- Fix typo, callback line should be parsed as Perl
- Exclude radio and checkbox inputs from duplicate check for inline edit
- Pass RT_TEST_DISABLE_CONFIG_CACHE to fcigd/mod_perl configs
- Make sure BaseQuery is unset if it is equal to Query
- Move a few more general code from RT::Report::Tickets to RT::Report
- Log about the inaccurate chart data if UseSQLForACLChecks is disabled
- Update the license tagger to know how to handle markdown
- Drop code that never runs in CollectionList
- Support to group by Name/Description for asset charts
- Include principal ids or passed values in error logs
- Add ActionsMenu callback to ShowAssets for tickets
- No need to search links if the record does not support links
- Add TotalTimeWorked to REST2 ticket response data
- Quiet undefined warnings when sending rt-crontool email
- Make RT::User::OwnGroups() optionally recursive
- Add Initial callback for PreviewInSearch
- Dynamically get target element from the display element for checkbox cfs
- Support indeterminate state for boolean(checkbox) cfs
- Ignore HTML CF helper inputs(Bulk-Add-CustomField-...-ValuesType) on bulk update
- Test HTML custom fields on bulk update page
- Fixing localisation of Reports menu and Bulk page (thanks PPetky!)
- Fix the regex that identifies if the item is search term for autocomplete
- Add callbacks to dashboard portlet rendering
- Split dashboard email subject to a separate method
- Update tests for the updated header in TSV output
- Document TSV header changes in UPGRADING
- Do not merge old values for hash configs in database
- Test lifecycle deletions
- Add protective code in case of invalid lifecycles
- Test lifecycle warnings on admin web UI
- Check $DECODED_ARGS for ReverseTxns URL parameter
- Relax checks on link targets in create templates
- Rename github actions file to describe what it does
- Remove duplicates of ids when fetching user info
- Call ReplaceUserReferences for scroll mode of $ShowHistory
- Re-enable links autocomplete on create pages
- Use string comparison op(ne) for SearchPrivacy values like "RT::User-14"
- Test article saved searches
- Skip dumping content for failed todo tests
- Add callback to filter custom field values on ShowCustomFields
- Add callback to Bulk.html after ticket search
- Add callback to EditCustomFieldSelect before rendering values
- Add sample dashboard image to Dashboard documentation
- Display a dashboard as the sample screenshot
- Make sure TicketType and ObjectType limits in transaction searches are AND-ed
- Add BeforeResults callback for /Search/Bulk.html
- Add AfterTransactions callback for ShowHistory
- Test sorting/limiting axis labels of search charts
- No support for multiple articles included at the same time
- Document chart x-axis options
- Update tests for new warning messages in gpg 2.4+
- Add overlay support to RT::Crypt::SMIME
- Fix uninitialized warnings for asset inline edit on Oracle
- Avoid JSON decode error in case of empty $Objects in /Helpers/SelectOwnerDropdown
- Update tests and fix uninitialized warnings for changes in SearchBuilder 1.82
- Skip DBIx::SearchBuilder 1.81 for Oracle
- Update testing docker image to Debian bullseye
A complete changelog is available from git by running:
git log rt-5.0.5..rt-5.0.6
or visiting
rt-5.0.5...rt-5.0.6