Pullup ticket #3808 - requested by spz

devel/rt3: security update

Revisions pulled up:
- devel/rt3/Makefile                                            1.49
- devel/rt3/Makefile.install                                    1.18
- devel/rt3/PLIST                                               1.21
- devel/rt3/distinfo                                            1.22
- devel/rt3/patches/patch-lib_RT_Action_CreateTickets.pm        deleted
- devel/rt3/patches/patch-lib_RT_Ticket__Overlay.pm             deleted
- devel/rt3/patches/patch-lib_RT_Transaction__Overlay.pm        deleted
- devel/rt3/patches/patch-share_html_Admin_CustomFields_Modify.html deleted
- devel/rt3/patches/patch-share_html_Search_Bulk.html           deleted
- devel/rt3/patches/patch-share_html_Search_Elements_SelectChartType deleted
- devel/rt3/patches/patch-share_html_Ticket_Elements_PreviewScrips deleted

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Fri May 25 19:55:44 UTC 2012

   Modified Files:
   	pkgsrc/devel/rt3: Makefile Makefile.install PLIST distinfo
   Removed Files:
   	pkgsrc/devel/rt3/patches: patch-lib_RT_Action_CreateTickets.pm
   	    patch-lib_RT_Ticket__Overlay.pm
   	    patch-lib_RT_Transaction__Overlay.pm
   	    patch-share_html_Admin_CustomFields_Modify.html
   	    patch-share_html_Search_Bulk.html
   	    patch-share_html_Search_Elements_SelectChartType
   	    patch-share_html_Ticket_Elements_PreviewScrips

   Log Message:
   Update RT to version 3.8.12:

   Changes from 3.8.11 to 3.8.12:
       This release, in addition to being a bugfix release, also resolves a
       number of security vulnerabilities.  It resolves CVE-2011-2082,
       CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458,
       CVE-2011-4459, and CVE-2011-4460.

        * Upgrade prototype.js to version 1.7, for compatibility with google
          charts.
        * Remove ie7.js, which is no longer used.
        * Ensure that TransactionBatch scripts are only run once.

   Changes from 3.8.10 to 3.8.11:
       This release contains a number of bugfixes and minor security updates
       since the 3.8.10 release, most notably:

        * Adjust FCGI dependency to one which resolves FCGI's CVE-2011-2766

        * New WebHttpOnlyCookies option, enabled by default, which hides RT's
          cookie from direct Javascript access.

        * Compatibility with perl 5.12 and 5.14, by removing deprecated "for
          qw(...)" and "defined %hash" syntax.

        * MySQL 5.5 compatibility, by specifying ENGINE=InnoDB rather than
          TYPE=InnoDB

        * Ensure that RT::Interface::Web's _Overlay, _Local, and _Vendor files
          are loaded correctly.

        * Fix session cleaner for on-disk sessions, broken since 3.8.0.

        * Ensure that only one "Based on" attribute is stored for each custom
          field.

        * Fix the loading of Shredder plugins, broken in 3.8.10.

11 files changed, 13 insertions, 213 deletions

diff --git a/devel/rt3/Makefile b/devel/rt3/Makefile
index d02ff6de755..92bb2465056 100644
--- a/devel/rt3/Makefile
+++ b/devel/rt3/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.48 2011/10/25 19:38:09 spz Exp $
+# $NetBSD: Makefile,v 1.48.4.1 2012/05/28 10:50:59 tron Exp $
 
-DISTNAME=		rt-3.8.10
-PKGREVISION=		1
+DISTNAME=		rt-3.8.12
 CATEGORIES=		devel
 MASTER_SITES=		http://download.bestpractical.com/pub/rt/release/
 
diff --git a/devel/rt3/Makefile.install b/devel/rt3/Makefile.install
index e7e1ed701b8..425e87701a3 100644
--- a/devel/rt3/Makefile.install
+++ b/devel/rt3/Makefile.install
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.install,v 1.17 2011/02/27 17:05:57 spz Exp $
+# $NetBSD: Makefile.install,v 1.17.10.1 2012/05/28 10:50:59 tron Exp $
 
 .include "dirs.mk"
 
@@ -67,7 +67,8 @@ RT_ETC_FILES=		acl.Oracle acl.Pg acl.mysql constraints.mysql	\
 			upgrade/vulnerable-passwords
 RT_UPGRADE_DIRS=	3.3.0 3.3.11 3.5.1 3.7.1 3.7.3 3.7.10 3.7.15	\
 			3.7.19 3.7.81 3.7.82 3.7.85 3.7.86 3.7.87       \
-			3.8.0 3.8.1 3.8.2 3.8.3 3.8.4 3.8.6 3.8.8 3.8.9
+			3.8.0 3.8.1 3.8.2 3.8.3 3.8.4 3.8.6 3.8.8 3.8.9 \
+			3.8.12
 
 MESSAGE_SUBST+=		RTVARDIR=${RT_VAR_DIR:Q} RTSHAREDIR=${RT_SHARE_DIR:Q}
 
diff --git a/devel/rt3/PLIST b/devel/rt3/PLIST
index 588453c169a..586b9634baf 100644
--- a/devel/rt3/PLIST
+++ b/devel/rt3/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.20 2011/04/16 09:41:19 spz Exp $
+@comment $NetBSD: PLIST,v 1.20.8.1 2012/05/28 10:50:59 tron Exp $
 bin/mason_handler.fcgi
 ${PLIST.speedycgi}bin/mason_handler.scgi
 bin/mason_handler.svc
@@ -330,6 +330,7 @@ share/rt3/etc/upgrade/3.8.4/content
 share/rt3/etc/upgrade/3.8.6/content
 share/rt3/etc/upgrade/3.8.8/content
 share/rt3/etc/upgrade/3.8.9/content
+share/rt3/etc/upgrade/3.8.12/content
 share/rt3/etc/vulnerable-passwords
 share/rt3/html/Admin/CustomFields/GroupRights.html
 share/rt3/html/Admin/CustomFields/Modify.html
@@ -468,6 +469,7 @@ share/rt3/html/Download/CustomFieldValue/dhandler
 share/rt3/html/Download/Tabular/dhandler
 share/rt3/html/Elements/BevelBoxRaisedEnd
 share/rt3/html/Elements/BevelBoxRaisedStart
+share/rt3/html/Elements/CSRF
 share/rt3/html/Elements/Callback
 share/rt3/html/Elements/Checkbox
 share/rt3/html/Elements/CollectionAsTable/Header
@@ -1023,11 +1025,6 @@ share/rt3/html/NoAuth/images/empty_star.gif
 share/rt3/html/NoAuth/images/favicon.png
 share/rt3/html/NoAuth/images/star.gif
 share/rt3/html/NoAuth/images/test.png
-share/rt3/html/NoAuth/js/IE7/IE7.js
-share/rt3/html/NoAuth/js/IE7/IE8.js
-share/rt3/html/NoAuth/js/IE7/blank.gif
-share/rt3/html/NoAuth/js/IE7/ie7-recalc.js
-share/rt3/html/NoAuth/js/IE7/ie7-squish.js
 share/rt3/html/NoAuth/js/ahah.js
 share/rt3/html/NoAuth/js/autohandler
 share/rt3/html/NoAuth/js/cascaded.js
@@ -1212,3 +1209,4 @@ share/rt3/html/autohandler
 share/rt3/html/dhandler
 share/rt3/html/index.html
 share/rt3/html/l
+share/rt3/html/l_unsafe
diff --git a/devel/rt3/distinfo b/devel/rt3/distinfo
index b11468fac58..b6789f6e284 100644
--- a/devel/rt3/distinfo
+++ b/devel/rt3/distinfo
@@ -1,23 +1,16 @@
-$NetBSD: distinfo,v 1.21 2011/10/25 19:38:09 spz Exp $
+$NetBSD: distinfo,v 1.21.4.1 2012/05/28 10:51:00 tron Exp $
 
-SHA1 (rt-3.8.10.tar.gz) = 98678a4ce4dbdfb13ceeeb88236d49bd0f5562c7
-RMD160 (rt-3.8.10.tar.gz) = 779ba2e04e87d20f30b03a9e7348c23b09062038
-Size (rt-3.8.10.tar.gz) = 5642566 bytes
+SHA1 (rt-3.8.12.tar.gz) = aa657de2fd687c51f31216df6dc1f639a0bc1f7c
+RMD160 (rt-3.8.12.tar.gz) = fa6b251aa1c7851a35243181c3b802a668c1e0ba
+Size (rt-3.8.12.tar.gz) = 5730029 bytes
 SHA1 (patch-aa) = 6f78710f4460a25c75afbdf7128c0fe34914927c
 SHA1 (patch-ab) = ee455dd683c84d3a745a29a132e28903ba03144d
 SHA1 (patch-lib_RT.pm) = f72c6cb6f94acf1296076423d26d7efa4ed78293
-SHA1 (patch-lib_RT_Action_CreateTickets.pm) = d9cac2c0b9125835edf303b203e067ce087e90d7
 SHA1 (patch-lib_RT_CustomFieldValues_External.pm) = 4404ca98c9e50687323892df1aa95c8b5a6dedd9
 SHA1 (patch-lib_RT_Interface_Email.pm) = 60d0c2c46ac3dc8172bdf16bbf43099b7dd87542
 SHA1 (patch-lib_RT_Interface_Email_Auth_GnuPG.pm) = c78c1894a0c058082784a3790fc87684d6a4431c
-SHA1 (patch-lib_RT_Ticket__Overlay.pm) = e39ef54a28f08d34ebf7c7bc3d410e8c1064177e
-SHA1 (patch-lib_RT_Transaction__Overlay.pm) = aad3ea7fb62798e63cee20e82b6cc8e4f11a3f44
 SHA1 (patch-sbin_rt-attributes-viewer) = e1c963800b76282cda4ca46e006f30d9abfc29c9
 SHA1 (patch-sbin_rt-attributes-viewer.in) = 99a15cca9a394b5743edc3929f43593f1384c8da
-SHA1 (patch-share_html_Admin_CustomFields_Modify.html) = ab8109ff5b2c39f02dc0058d00bc9c4264b58bc7
 SHA1 (patch-share_html_Helpers_CalPopup.html) = 3920ac6448d1d21c7ff32ef67344b19aa53616a4
-SHA1 (patch-share_html_Search_Bulk.html) = a08fa8cfbe641ae4d174117167c4f4be97f9151f
-SHA1 (patch-share_html_Search_Elements_SelectChartType) = 0aa993c9f909634da4e65e37dd59afd6531dde01
-SHA1 (patch-share_html_Ticket_Elements_PreviewScrips) = caaccc926bb92d9e7a4fd24bfc6b47263c5dd028
 SHA1 (patch-t_approval_admincc.t) = 4fddf5fa844d15e8698e00fe6863daaafa661315
 SHA1 (patch-t_approval_basic.t) = 209303cc34370518a2600e28570627e1dc7e698b
diff --git a/devel/rt3/patches/patch-lib_RT_Action_CreateTickets.pm b/devel/rt3/patches/patch-lib_RT_Action_CreateTickets.pm
deleted file mode 100644
index 107dd2fe8b6..00000000000
--- a/devel/rt3/patches/patch-lib_RT_Action_CreateTickets.pm
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-lib_RT_Action_CreateTickets.pm,v 1.1 2011/10/25 19:38:10 spz Exp $
-
-perl 5.14 qw() in for* fixes
-
---- lib/RT/Action/CreateTickets.pm.orig	2011-04-14 00:32:21.000000000 +0000
-+++ lib/RT/Action/CreateTickets.pm
-@@ -723,7 +723,7 @@ sub ParseLines {
-         }
-     }
- 
--    foreach my $date qw(due starts started resolved) {
-+    foreach my $date ( qw(due starts started resolved) ) {
-         my $dateobj = RT::Date->new( $self->CurrentUser );
-         next unless $args{$date};
-         if ( $args{$date} =~ /^\d+$/ ) {
-@@ -1080,7 +1080,7 @@ sub UpdateWatchers {
- 
-     my @results;
- 
--    foreach my $type qw(Requestor Cc AdminCc) {
-+    foreach my $type ( qw(Requestor Cc AdminCc) ) {
-         my $method  = $type . 'Addresses';
-         my $oldaddr = $ticket->$method;
- 
diff --git a/devel/rt3/patches/patch-lib_RT_Ticket__Overlay.pm b/devel/rt3/patches/patch-lib_RT_Ticket__Overlay.pm
deleted file mode 100644
index fb179fcb4cf..00000000000
--- a/devel/rt3/patches/patch-lib_RT_Ticket__Overlay.pm
+++ /dev/null
@@ -1,49 +0,0 @@
-$NetBSD: patch-lib_RT_Ticket__Overlay.pm,v 1.1 2011/10/25 19:38:10 spz Exp $
-
-perl 5.14 qw() in for* fixes
-
---- lib/RT/Ticket_Overlay.pm.orig	2011-04-14 00:32:21.000000000 +0000
-+++ lib/RT/Ticket_Overlay.pm
-@@ -471,13 +471,13 @@ sub Create {
-     );
- 
- # Parameters passed in during an import that we probably don't want to touch, otherwise
--    foreach my $attr qw(id Creator Created LastUpdated LastUpdatedBy) {
-+    foreach my $attr ( qw(id Creator Created LastUpdated LastUpdatedBy) ) {
-         $params{$attr} = $args{$attr} if $args{$attr};
-     }
- 
-     # Delete null integer parameters
-     foreach my $attr
--        qw(TimeWorked TimeLeft TimeEstimated InitialPriority FinalPriority)
-+        ( qw(TimeWorked TimeLeft TimeEstimated InitialPriority FinalPriority) )
-     {
-         delete $params{$attr}
-           unless ( exists $params{$attr} && $params{$attr} );
-@@ -745,7 +745,7 @@ sub _Parse822HeadersForAttributes {
-         
-     }
- 
--    foreach my $date qw(due starts started resolved) {
-+    foreach my $date ( qw(due starts started resolved) ) {
-         my $dateobj = RT::Date->new($RT::SystemUser);
-         if ( defined ($args{$date}) and $args{$date} =~ /^\d+$/ ) {
-             $dateobj->Set( Format => 'unix', Value => $args{$date} );
-@@ -2600,7 +2600,7 @@ sub MergeInto {
-     }
- 
-     # Update time fields
--    foreach my $type qw(TimeEstimated TimeWorked TimeLeft) {
-+    foreach my $type ( qw(TimeEstimated TimeWorked TimeLeft) ) {
- 
-         my $mutator = "Set$type";
-         $MergeInto->$mutator(
-@@ -2608,7 +2608,7 @@ sub MergeInto {
- 
-     }
- #add all of this ticket's watchers to that ticket.
--    foreach my $watcher_type qw(Requestors Cc AdminCc) {
-+    foreach my $watcher_type ( qw(Requestors Cc AdminCc) ) {
- 
-         my $people = $self->$watcher_type->MembersObj;
-         my $addwatcher_type =  $watcher_type;
diff --git a/devel/rt3/patches/patch-lib_RT_Transaction__Overlay.pm b/devel/rt3/patches/patch-lib_RT_Transaction__Overlay.pm
deleted file mode 100644
index 2a28a525d53..00000000000
--- a/devel/rt3/patches/patch-lib_RT_Transaction__Overlay.pm
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-lib_RT_Transaction__Overlay.pm,v 1.1 2011/10/25 19:38:10 spz Exp $
-
-perl 5.14 qw() in for* fixes
-
---- lib/RT/Transaction_Overlay.pm.orig	2011-04-14 00:32:21.000000000 +0000
-+++ lib/RT/Transaction_Overlay.pm
-@@ -144,7 +144,7 @@ sub Create {
-     );
- 
-     # Parameters passed in during an import that we probably don't want to touch, otherwise
--    foreach my $attr qw(id Creator Created LastUpdated TimeTaken LastUpdatedBy) {
-+    foreach my $attr ( qw(id Creator Created LastUpdated TimeTaken LastUpdatedBy) ) {
-         $params{$attr} = $args{$attr} if ($args{$attr});
-     }
-  
diff --git a/devel/rt3/patches/patch-share_html_Admin_CustomFields_Modify.html b/devel/rt3/patches/patch-share_html_Admin_CustomFields_Modify.html
deleted file mode 100644
index 084ac880ffc..00000000000
--- a/devel/rt3/patches/patch-share_html_Admin_CustomFields_Modify.html
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-share_html_Admin_CustomFields_Modify.html,v 1.1 2011/10/25 19:38:10 spz Exp $
-
-perl 5.14 qw() in for* fixes
-
---- share/html/Admin/CustomFields/Modify.html.orig	2011-04-14 00:32:21.000000000 +0000
-+++ share/html/Admin/CustomFields/Modify.html
-@@ -196,7 +196,7 @@ if ( $ARGS{'Update'} && $id ne 'new' ) {
-     # Update any existing values
-     my $values = $CustomFieldObj->ValuesObj;
-     while ( my $value = $values->Next ) {
--        foreach my $attr qw(Name Description SortOrder Category) {
-+        foreach my $attr ( qw(Name Description SortOrder Category) ) {
-             my $param = join("-", $paramtag, $value->Id, $attr);
-             next unless exists $ARGS{$param};
-             $ARGS{$param} =~ s/^\s+//;
diff --git a/devel/rt3/patches/patch-share_html_Search_Bulk.html b/devel/rt3/patches/patch-share_html_Search_Bulk.html
deleted file mode 100644
index 29eba5d0005..00000000000
--- a/devel/rt3/patches/patch-share_html_Search_Bulk.html
+++ /dev/null
@@ -1,31 +0,0 @@
-$NetBSD: patch-share_html_Search_Bulk.html,v 1.1 2011/10/25 19:38:10 spz Exp $
-
-perl 5.14 qw() in for* fixes
-
---- share/html/Search/Bulk.html.orig	2011-04-14 00:32:21.000000000 +0000
-+++ share/html/Search/Bulk.html
-@@ -60,7 +60,7 @@
- 
- <& /Elements/ListActions, actions => \@results &>
- <form method="post" action="<% RT->Config->Get('WebPath') %>/Search/Bulk.html" enctype="multipart/form-data">
--% foreach my $var qw(Query Format OrderBy Order Rows Page SavedChartSearchId) {
-+% foreach my $var ( qw(Query Format OrderBy Order Rows Page SavedChartSearchId) ) {
- <input type="hidden" class="hidden" name="<%$var%>" value="<%$ARGS{$var} || ''%>" />
- %}
- <& /Elements/CollectionList, 
-@@ -358,13 +358,13 @@ unless ( $ARGS{'AddMoreAttach'} ) {
-         my @watchresults =
-           ProcessTicketWatchers( TicketObj => $Ticket, ARGSRef => \%ARGS );
- 
--        foreach my $type qw(MergeInto DependsOn MemberOf RefersTo) {
-+        foreach my $type ( qw(MergeInto DependsOn MemberOf RefersTo) ) {
-             $ARGS{ $Ticket->id . "-" . $type } = $ARGS{"Ticket-$type"};
-             $ARGS{ $type . "-" . $Ticket->id } = $ARGS{"$type-Ticket"};
-         }
-         @linkresults =
-           ProcessTicketLinks( TicketObj => $Ticket, ARGSRef => \%ARGS );
--        foreach my $type qw(MergeInto DependsOn MemberOf RefersTo) {
-+        foreach my $type ( qw(MergeInto DependsOn MemberOf RefersTo) ) {
-             delete $ARGS{ $type . "-" . $Ticket->id };
-             delete $ARGS{ $Ticket->id . "-" . $type };
-         }
diff --git a/devel/rt3/patches/patch-share_html_Search_Elements_SelectChartType b/devel/rt3/patches/patch-share_html_Search_Elements_SelectChartType
deleted file mode 100644
index b1e3dd8a96c..00000000000
--- a/devel/rt3/patches/patch-share_html_Search_Elements_SelectChartType
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-share_html_Search_Elements_SelectChartType,v 1.1 2011/10/25 19:38:10 spz Exp $
-
-perl 5.14 qw() in for* fixes
-
---- share/html/Search/Elements/SelectChartType.orig	2011-04-14 00:32:21.000000000 +0000
-+++ share/html/Search/Elements/SelectChartType
-@@ -50,7 +50,7 @@ $Name => 'ChartType'
- $Default => 'bar'
- </%args>
- <select id="<%$Name%>" name="<%$Name%>">
--% foreach my $option qw(bar pie) {
-+% foreach my $option ( qw(bar pie) ) {
- % # 'bar' # loc
- % # 'pie' # loc
- <option value="<%$option%>"<% $option eq $Default ? qq[ selected="selected"] : '' |n %>><%loc($option)%></option>
diff --git a/devel/rt3/patches/patch-share_html_Ticket_Elements_PreviewScrips b/devel/rt3/patches/patch-share_html_Ticket_Elements_PreviewScrips
deleted file mode 100644
index 5db2c8857d4..00000000000
--- a/devel/rt3/patches/patch-share_html_Ticket_Elements_PreviewScrips
+++ /dev/null
@@ -1,42 +0,0 @@
-$NetBSD: patch-share_html_Ticket_Elements_PreviewScrips,v 1.1 2011/10/25 19:38:10 spz Exp $
-
-perl 5.14 qw() in for* fixes
-
---- share/html/Ticket/Elements/PreviewScrips.orig	2011-04-14 00:32:21.000000000 +0000
-+++ share/html/Ticket/Elements/PreviewScrips
-@@ -65,7 +65,7 @@ my @non_recipients = @{ $squelch{'EmailA
- <b><% $scrip->Description || loc('Scrip #[_1]',$scrip->id) %></b><br />
- <&|/l, loc($scrip->ConditionObj->Name), loc($scrip->ActionObj->Name), loc($scrip->TemplateObj->Name)&>[_1] [_2] with template [_3]</&>
- <br />
--%foreach my $type qw(To Cc Bcc) {
-+%foreach my $type ( qw(To Cc Bcc) ) {
- %my @addresses =  $scrip->ActionObj->Action->$type();
- <ul>
- %foreach my $addr (@addresses) {
-@@ -90,7 +90,7 @@ my @non_recipients = @{ $squelch{'EmailA
- %    next unless $rule->{hints} && $rule->{hints}{class} eq 'SendEmail';
- <b><% $rule->Describe %></b>
- %    my $data = $rule->{hints}{recipients};
--%    foreach my $type qw(To Cc Bcc) {
-+%    foreach my $type ( qw(To Cc Bcc) ) {
- <ul>
- %        foreach my $address (@{$data->{$type}}) {
- <li>
-@@ -205,7 +205,7 @@ foreach my $scrip ( @{ $txn->Scrips->Pre
-     my $action = $scrip->ActionObj->Action;
-     next unless $action->isa('RT::Action::SendEmail');
- 
--    foreach my $type qw(To Cc Bcc) {
-+    foreach my $type ( qw(To Cc Bcc) ) {
-         push @recipients, $action->$type();
-     }
- }
-@@ -250,7 +250,7 @@ foreach my $scrip ( @{ $txn->Scrips->Pre
-     my $action = $scrip->ActionObj->Action;
-     next unless $action->isa('RT::Action::SendEmail');
- 
--    foreach my $type qw(To Cc Bcc) {
-+    foreach my $type ( qw(To Cc Bcc) ) {
-         push @recipients, $action->$type();
-     }
- }