[DRE-commits] [SCM] redmine.git branch, master-experimental, updated. debian/1.4.4+dfsg1-1-5-g7f1f228

[Jérémy Lal]

The following commit has been merged in the master-experimental branch:
commit 16d88757cdb502cc19bd34353c43d5c6b02e01f3
Author: Jérémy Lal <kapouer at melix.org>
Date:   Wed Aug 24 22:16:29 2011 +0200

    Backport fix for "add a relation between issues pops explicit login window".

diff --git a/debian/patches/1014_send_CSRF_ajax.patch b/debian/patches/1014_send_CSRF_ajax.patch
new file mode 100644
index 0000000..bec3dc4
--- /dev/null
+++ b/debian/patches/1014_send_CSRF_ajax.patch
@@ -0,0 +1,48 @@
+Description: Send the CSRF token with Ajax requests.
+ Add a relation between issues pops explicit login window.
+ Fixed upstream, but not for redmine 1.1.x.
+Bug-Redmine: http://www.redmine.org/issues/7843
+Author: Etienne Massip <etienne.massip at gmail.com>
+Last-Update: 2011-03-14
+--- a/app/views/layouts/base.rhtml
++++ b/app/views/layouts/base.rhtml
+@@ -5,6 +5,7 @@
+ <title><%=h html_title %></title>
+ <meta name="description" content="<%= Redmine::Info.app_name %>" />
+ <meta name="keywords" content="issue,bug,tracker" />
++<%= csrf_meta_tag %>
+ <%= favicon %>
+ <%= stylesheet_link_tag 'application', :media => 'all' %>
+ <%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %>
+--- a/public/javascripts/application.js
++++ b/public/javascripts/application.js
+@@ -250,9 +250,27 @@
+ }
+ 
+ 
+-/* shows and hides ajax indicator */
++/* 
++ * 1 - registers a callback which copies the csrf token into the
++ * X-CSRF-Token header with each ajax request.  Necessary to 
++ * work with rails applications which have fixed
++ * CVE-2011-0447
++ * 2 - shows and hides ajax indicator
++ */
+ Ajax.Responders.register({
+-    onCreate: function(){
++    onCreate: function(request){
++        var csrf_meta_tag = $$('meta[name=csrf-token]')[0];
++
++        if (csrf_meta_tag) {
++            var header = 'X-CSRF-Token',
++                token = csrf_meta_tag.readAttribute('content');
++
++            if (!request.options.requestHeaders) {
++              request.options.requestHeaders = {};
++            }
++            request.options.requestHeaders[header] = token;
++          }
++
+         if ($('ajax-indicator') && Ajax.activeRequestCount > 0) {
+             Element.show('ajax-indicator');
+         }
diff --git a/debian/patches/series b/debian/patches/series
index 96f07af..419833d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
 2009_FHS_thin_config.patch
 2010_use_i18n_0.4.1.patch
 1013_logout_cookie_rake.patch
+1014_send_CSRF_ajax.patch

-- 
redmine.git