Permalink
Commits on Jun 15, 2017
  1. 0.27 releng

    sartak committed Jun 15, 2017
  2. Fix timing sidechannel vulnerability in password checking

    aaronkondziela authored and sartak committed Jan 24, 2017
    "eq" operators for comparing against passwords are replaced by a new
    RT::Util::constant_time_eq to resolve a timing sidechannel vulnerability.
    
    This addresses CVE-2017-5361.
    
    Fixes: T#161960
Commits on Aug 2, 2016
  1. Release 0.26

    sartak committed Aug 2, 2016
  2. Toolchain update

    sartak committed Aug 2, 2016
Commits on Dec 9, 2014
  1. Indent example code

    alexmv committed Dec 9, 2014
Commits on Oct 16, 2014
  1. Bump version for 0.25

    jibsheet committed Oct 16, 2014
  2. Quiet logging for logged in users

    jibsheet committed Oct 16, 2014
    Because we started deferring to ::DoAuth in eeb05b8, we would log a
    message of:
        Autohandler called ExternalAuth. Response: (0, User already logged in!)
    for every request once it checked that the user was logged in.
    Instead, just bail hard once we see that the user is logged in.
  3. Avoid sending blank lines at the top of responses

    jibsheet committed Oct 16, 2014
    Because of a trailing newline in this file, when RT served images from
    the non-static-handler, it would inject a blank line at the top of the
    file, breaking it.  This caused custom logos and charts from search
    results to fail to render.
    
    This was caused when eeb05b8 lost the return; at the end of init,
    allowing the blank line to be printed.
    
    This restores the return, with a helpful comment for the future and also
    futureproofs by removing the blank lines.
Commits on Oct 9, 2014
  1. Version 0.24 releng

    alexmv committed Oct 9, 2014
Commits on Sep 30, 2014
  1. Version 0.23_01 releng

    alexmv committed Sep 30, 2014
Commits on Sep 15, 2014
  1. Respect both 4.2 and 4.0 names for AutoCreate

    alexmv committed Sep 15, 2014
    aed7312 changed the documentation to reference the 4.2 configuration
    name; change the code to do so, as well.
  2. RT::Authen::ExternalAuth will always have been loaded, via plugin code

    alexmv committed Aug 14, 2014
    This is a holdover from before @Plugins existed
  3. Remove unused %ARGS variable

    alexmv committed Aug 14, 2014
  4. Remove unused %once block

    alexmv committed Aug 14, 2014
  5. Fix a variable name in the POD

    alexmv committed Aug 14, 2014
  6. Add a missing close paren

    alexmv committed Aug 14, 2014
  7. Whitespace cleanup

    alexmv committed Aug 14, 2014
  8. Convert to unix line-endings

    alexmv committed Aug 14, 2014
Commits on Aug 19, 2014
  1. Add a callback to run after a user logs in

    jibsheet committed Aug 19, 2014
    Because RT::Authen::ExternalAuth runs before core's
    AttemptPasswordAuthentication, the core "you're logged in!" callback
    never runs.  This means if you want to do something 'on login' you have
    no hook for RT::Authen::ExternalAuth users.
    
    We call the core SuccessfulLogin callback from RT::Authen::ExternalAuth
    so that your code should 'just work' in both scenarios.
    
    The DoAuth $next extraction is virtually identical to core, so should
    work for normal use cases (RTIR's code works on both core and with this
    change).
Commits on Aug 14, 2014
  1. Version 0.23 releng

    alexmv committed Aug 14, 2014
Commits on Aug 13, 2014
  1. Version 0.22_01 releng

    alexmv committed Aug 13, 2014
  2. Move configuration documentation into the main file

    alexmv committed Aug 13, 2014
    This condenses and updates the configuration options, as well as
    providing them in one place.
  3. Standardize and modernize POD

    alexmv committed Aug 13, 2014
    Remove the documentation dealing with the no-longer-supported 3.4, 3.6,
    and 3.8 releases.  Use the standard RT::Extension installation
    instructions, as well as footer.  Condense the "MORE ABOUT THIS MODULE"
    into the "DESCRIPTION" and de-duplicate, removing reference to the
    no-longer-relevant RT::Authen::CookieAuth.
  4. Defer loading of Net:SSLeay, to prevent segfaults under mod_perl

    alexmv committed Aug 13, 2014
    Plack::Handler::Apache2 removes $ENV{MOD_PERL}, to prevent some modules
    (like CGI and CGI::Cookie) from looking in the wrong locations for
    input.  Unfortunately, this has catastrophic results for the loading of
    Net::SSLeay, which segfaults Apache if loaded under mod_ssl + mod_perl
    without being able to detect it is running as such.
    
    Remove the early loading of Net::SSLeay, and the entire
    ExternalServiceUsesSSLorTLS argument in general.  There is no need to
    load Net::SSLeay early, and no need for a configuration variable that
    merely repeats what can be inferred from individual service
    configurations.
Commits on Jul 2, 2014
  1. Bump version for 0.21

    jibsheet committed Jul 2, 2014