12 files changed, 67 insertions, 40 deletions

diff --git a/rt/Makefile b/rt/Makefile
index 8f9202080..84c1f87de 100644
--- a/rt/Makefile
+++ b/rt/Makefile
@@ -63,7 +63,7 @@ SITE_CONFIG_FILE	=	$(CONFIG_FILE_PATH)/RT_SiteConfig.pm
 
 RT_VERSION_MAJOR	=	3
 RT_VERSION_MINOR	=	8
-RT_VERSION_PATCH	=	10
+RT_VERSION_PATCH	=	11
 
 RT_VERSION		=	$(RT_VERSION_MAJOR).$(RT_VERSION_MINOR).$(RT_VERSION_PATCH)
 TAG 			=	rt-$(RT_VERSION_MAJOR)-$(RT_VERSION_MINOR)-$(RT_VERSION_PATCH)
diff --git a/rt/etc/RT_Config.pm b/rt/etc/RT_Config.pm
index b4ca44c96..22fdff218 100644
--- a/rt/etc/RT_Config.pm
+++ b/rt/etc/RT_Config.pm
@@ -1261,6 +1261,19 @@ via SSL encrypted HTTP connections.
 
 Set($WebSecureCookies, 0);
 
+=item C<$WebHttpOnlyCookies>
+
+Default RT's session cookie to not being directly accessible to
+javascript.  The content is still sent during regular and AJAX requests,
+and other cookies are unaffected, but the session-id is less
+programmatically accessible to javascript.  Turning this off should only
+be necessary in situations with odd client-side authentication
+requirements.
+
+=cut
+
+Set($WebHttpOnlyCookies, 1);
+
 =item C<$WebFlushDbCacheEveryRequest>
 
 By default, RT clears its database cache after every page view.
diff --git a/rt/etc/RT_Config.pm.in b/rt/etc/RT_Config.pm.in
index 94eea5ade..aa43985c1 100644
--- a/rt/etc/RT_Config.pm.in
+++ b/rt/etc/RT_Config.pm.in
@@ -1261,6 +1261,19 @@ via SSL encrypted HTTP connections.
 
 Set($WebSecureCookies, 0);
 
+=item C<$WebHttpOnlyCookies>
+
+Default RT's session cookie to not being directly accessible to
+javascript.  The content is still sent during regular and AJAX requests,
+and other cookies are unaffected, but the session-id is less
+programmatically accessible to javascript.  Turning this off should only
+be necessary in situations with odd client-side authentication
+requirements.
+
+=cut
+
+Set($WebHttpOnlyCookies, 1);
+
 =item C<$WebFlushDbCacheEveryRequest>
 
 By default, RT clears its database cache after every page view.
diff --git a/rt/etc/schema.mysql-4.1 b/rt/etc/schema.mysql-4.1
index edd3deda7..bfa8516b2 100755
--- a/rt/etc/schema.mysql-4.1
+++ b/rt/etc/schema.mysql-4.1
@@ -14,7 +14,7 @@ CREATE TABLE Attachments (
   Creator integer NOT NULL DEFAULT 0  ,
   Created DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB  CHARACTER SET utf8;
+) ENGINE=InnoDB  CHARACTER SET utf8;
 
 CREATE INDEX Attachments2 ON Attachments (TransactionId) ;
 CREATE INDEX Attachments3 ON Attachments (Parent, TransactionId) ;
@@ -36,7 +36,7 @@ CREATE TABLE Queues (
   LastUpdated DATETIME NULL  ,
   Disabled int2 NOT NULL DEFAULT 0 ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE UNIQUE INDEX Queues1 ON Queues (Name) ;
 CREATE INDEX Queues2 ON Queues (Disabled) ;
@@ -57,7 +57,7 @@ CREATE TABLE Links (
   Creator integer NOT NULL DEFAULT 0  ,
   Created DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET ascii;
+) ENGINE=InnoDB CHARACTER SET ascii;
 
 CREATE INDEX Links2 ON Links (Base,  Type) ;
 CREATE INDEX Links3 ON Links (Target,  Type) ;
@@ -73,7 +73,7 @@ CREATE TABLE Principals (
         ObjectId integer, # foreign key to Users or Groups, depending
         Disabled int2 NOT NULL DEFAULT 0 ,
         PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET ascii;
+) ENGINE=InnoDB CHARACTER SET ascii;
 
 CREATE INDEX Principals2 ON Principals (ObjectId);
 
@@ -89,7 +89,7 @@ CREATE TABLE Groups (
   Type varchar(64) CHARACTER SET ascii NULL,
   Instance integer,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE INDEX Groups1 ON Groups (Domain,Instance,Type,id);
 CREATE INDEX Groups2 On Groups (Type, Instance);   
@@ -111,7 +111,7 @@ CREATE TABLE ScripConditions (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 # }}}
 
@@ -133,7 +133,7 @@ CREATE TABLE Transactions (
   Creator integer NOT NULL DEFAULT 0  ,
   Created DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE INDEX Transactions1 ON Transactions (ObjectType, ObjectId);
 
@@ -159,7 +159,7 @@ CREATE TABLE Scrips (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 # }}}
 
@@ -175,7 +175,7 @@ CREATE TABLE ACL (
   DelegatedBy integer NOT NULL default 0, #foreign key to principals with a userid
   DelegatedFrom integer NOT NULL default 0, #foreign key to ACL
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE INDEX  ACL1 on ACL(RightName, ObjectType, ObjectId,PrincipalType,PrincipalId);
 
@@ -188,7 +188,7 @@ CREATE TABLE GroupMembers (
   GroupId integer NOT NULL DEFAULT 0,
   MemberId integer NOT NULL DEFAULT 0,  #Foreign key to Principals
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 CREATE UNIQUE INDEX GroupMembers1 on GroupMembers (GroupId, MemberId);
 
 
@@ -210,7 +210,7 @@ create table CachedGroupMembers (
                                            # group members recursively.
                                            # Also, this allows us to have the ACL system elide members of disabled groups
         PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE INDEX DisGrouMem  on CachedGroupMembers (GroupId,MemberId,Disabled);
 CREATE INDEX CachedGroupMembers3 on CachedGroupMembers (MemberId, ImmediateParentId);
@@ -256,7 +256,7 @@ CREATE TABLE Users (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 
 CREATE UNIQUE INDEX Users1 ON Users (Name) ;
@@ -297,7 +297,7 @@ CREATE TABLE Tickets (
   Created DATETIME NULL  ,
   Disabled int2 NOT NULL DEFAULT 0 ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE INDEX Tickets1 ON Tickets (Queue, Status) ;
 CREATE INDEX Tickets2 ON Tickets (Owner) ;
@@ -318,7 +318,7 @@ CREATE TABLE ScripActions (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 # }}}
 
@@ -338,7 +338,7 @@ CREATE TABLE Templates (
   Creator integer NOT NULL DEFAULT 0  ,
   Created DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 # }}}
 
@@ -362,7 +362,7 @@ CREATE TABLE ObjectCustomFieldValues (
   LastUpdated DATETIME NULL  ,
   Disabled int2 NOT NULL DEFAULT 0 ,        # New -- whether the value was current
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE INDEX ObjectCustomFieldValues1 ON ObjectCustomFieldValues (Content); 
 CREATE INDEX ObjectCustomFieldValues2 ON ObjectCustomFieldValues (CustomField,ObjectType,ObjectId); 
@@ -389,7 +389,7 @@ CREATE TABLE CustomFields (
   Disabled int2 NOT NULL DEFAULT 0 ,
   Required int2 NOT NULL DEFAULT 0 ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 # }}}
 
@@ -406,7 +406,7 @@ CREATE TABLE ObjectCustomFields (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 # }}}
 
@@ -424,7 +424,7 @@ CREATE TABLE CustomFieldValues (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE INDEX CustomFieldValues1 ON CustomFieldValues (CustomField);
  
@@ -446,7 +446,7 @@ CREATE TABLE Attributes (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   PRIMARY KEY (id)
-) TYPE=InnoDB CHARACTER SET utf8;
+) ENGINE=InnoDB CHARACTER SET utf8;
 
 CREATE INDEX Attributes1 on Attributes(Name);
 CREATE INDEX Attributes2 on Attributes(ObjectType, ObjectId);
diff --git a/rt/lib/RT.pm b/rt/lib/RT.pm
index 50723765e..4a20f9b43 100644
--- a/rt/lib/RT.pm
+++ b/rt/lib/RT.pm
@@ -57,7 +57,7 @@ use Cwd ();
 
 use vars qw($Config $System $SystemUser $Nobody $Handle $Logger $_INSTALL_MODE);
 
-our $VERSION = '3.8.10';
+our $VERSION = '3.8.11';
 
 
 
diff --git a/rt/lib/RT/Action/CreateTickets.pm b/rt/lib/RT/Action/CreateTickets.pm
index 5a1693569..fd3e77c3a 100644
--- a/rt/lib/RT/Action/CreateTickets.pm
+++ b/rt/lib/RT/Action/CreateTickets.pm
@@ -723,7 +723,7 @@ sub ParseLines {
         }
     }
 
-    foreach my $date qw(due starts started resolved) {
+    foreach my $date (qw(due starts started resolved)) {
         my $dateobj = RT::Date->new( $self->CurrentUser );
         next unless $args{$date};
         if ( $args{$date} =~ /^\d+$/ ) {
@@ -1081,7 +1081,7 @@ sub UpdateWatchers {
 
     my @results;
 
-    foreach my $type qw(Requestor Cc AdminCc) {
+    foreach my $type (qw(Requestor Cc AdminCc)) {
         my $method  = $type . 'Addresses';
         my $oldaddr = $ticket->$method;
 
diff --git a/rt/lib/RT/CustomField_Overlay.pm b/rt/lib/RT/CustomField_Overlay.pm
index 5e868d1c5..25394cf0f 100644
--- a/rt/lib/RT/CustomField_Overlay.pm
+++ b/rt/lib/RT/CustomField_Overlay.pm
@@ -1440,7 +1440,7 @@ sub SetBasedOn {
     return (0, "Permission denied")
         unless $cf->Id && $cf->CurrentUserHasRight('SeeCustomField');
 
-    return $self->AddAttribute(
+    return $self->SetAttribute(
         Name => "BasedOn",
         Description => "Custom field whose CF we depend on",
         Content => $cf->Id,
diff --git a/rt/lib/RT/Interface/Web.pm b/rt/lib/RT/Interface/Web.pm
index 959c80334..e4167e4cc 100644
--- a/rt/lib/RT/Interface/Web.pm
+++ b/rt/lib/RT/Interface/Web.pm
@@ -661,10 +661,11 @@ sub InstantiateNewSession {
 
 sub SendSessionCookie {
     my $cookie = CGI::Cookie->new(
-        -name   => _SessionCookieName(),
-        -value  => $HTML::Mason::Commands::session{_session_id},
-        -path   => RT->Config->Get('WebPath'),
-        -secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 )
+        -name     => _SessionCookieName(),
+        -value    => $HTML::Mason::Commands::session{_session_id},
+        -path     => RT->Config->Get('WebPath'),
+        -secure   => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
+        -httponly => ( RT->Config->Get('WebHttpOnlyCookies') ? 1 : 0 ),
     );
 
     $HTML::Mason::Commands::r->err_headers_out->{'Set-Cookie'} = $cookie->as_string;
diff --git a/rt/lib/RT/Ticket_Overlay.pm b/rt/lib/RT/Ticket_Overlay.pm
index 2feed28dd..e8cb12863 100644
--- a/rt/lib/RT/Ticket_Overlay.pm
+++ b/rt/lib/RT/Ticket_Overlay.pm
@@ -472,13 +472,13 @@ sub Create {
     );
 
 # Parameters passed in during an import that we probably don't want to touch, otherwise
-    foreach my $attr qw(id Creator Created LastUpdated LastUpdatedBy) {
+    foreach my $attr (qw(id Creator Created LastUpdated LastUpdatedBy)) {
         $params{$attr} = $args{$attr} if $args{$attr};
     }
 
     # Delete null integer parameters
     foreach my $attr
-        qw(TimeWorked TimeLeft TimeEstimated InitialPriority FinalPriority)
+        (qw(TimeWorked TimeLeft TimeEstimated InitialPriority FinalPriority))
     {
         delete $params{$attr}
           unless ( exists $params{$attr} && $params{$attr} );
@@ -815,7 +815,7 @@ sub _Parse822HeadersForAttributes {
         
     }
 
-    foreach my $date qw(due starts started resolved) {
+    foreach my $date (qw(due starts started resolved)) {
         my $dateobj = RT::Date->new($RT::SystemUser);
         if ( defined ($args{$date}) and $args{$date} =~ /^\d+$/ ) {
             $dateobj->Set( Format => 'unix', Value => $args{$date} );
@@ -2701,7 +2701,7 @@ sub MergeInto {
     }
 
     # Update time fields
-    foreach my $type qw(TimeEstimated TimeWorked TimeLeft) {
+    foreach my $type (qw(TimeEstimated TimeWorked TimeLeft)) {
 
         my $mutator = "Set$type";
         $MergeInto->$mutator(
@@ -2709,7 +2709,7 @@ sub MergeInto {
 
     }
 #add all of this ticket's watchers to that ticket.
-    foreach my $watcher_type qw(Requestors Cc AdminCc) {
+    foreach my $watcher_type (qw(Requestors Cc AdminCc)) {
 
         my $people = $self->$watcher_type->MembersObj;
         my $addwatcher_type =  $watcher_type;
@@ -3327,7 +3327,7 @@ sub _ApplyTransactionBatch {
     my $batch = $self->TransactionBatch;
 
     my %seen;
-    my $types = join ',', grep !$seen{$_}++, grep defined, map $_->Type, grep defined, @{$batch};
+    my $types = join ',', grep !$seen{$_}++, grep defined, map $_->__Value('Type'), grep defined, @{$batch};
 
     require RT::Scrips;
     RT::Scrips->new($RT::SystemUser)->Apply(
diff --git a/rt/lib/RT/Transaction_Overlay.pm b/rt/lib/RT/Transaction_Overlay.pm
index 89c5273e1..fdd3e948f 100644
--- a/rt/lib/RT/Transaction_Overlay.pm
+++ b/rt/lib/RT/Transaction_Overlay.pm
@@ -145,7 +145,7 @@ sub Create {
     );
 
     # Parameters passed in during an import that we probably don't want to touch, otherwise
-    foreach my $attr qw(id Creator Created LastUpdated TimeTaken LastUpdatedBy) {
+    foreach my $attr (qw(id Creator Created LastUpdated TimeTaken LastUpdatedBy)) {
         $params{$attr} = $args{$attr} if ($args{$attr});
     }
  
diff --git a/rt/share/html/Admin/CustomFields/Modify.html b/rt/share/html/Admin/CustomFields/Modify.html
index 5ef32127b..249fdb1b4 100644
--- a/rt/share/html/Admin/CustomFields/Modify.html
+++ b/rt/share/html/Admin/CustomFields/Modify.html
@@ -221,7 +221,7 @@ if ( $ARGS{'Update'} && $id ne 'new' ) {
     # Update any existing values
     my $values = $CustomFieldObj->ValuesObj;
     while ( my $value = $values->Next ) {
-        foreach my $attr qw(Name Description SortOrder Category) {
+        foreach my $attr (qw(Name Description SortOrder Category)) {
             my $param = join("-", $paramtag, $value->Id, $attr);
             next unless exists $ARGS{$param};
             $ARGS{$param} =~ s/^\s+//;
diff --git a/rt/share/html/Search/Bulk.html b/rt/share/html/Search/Bulk.html
index 4a510ce97..9f58789ab 100755
--- a/rt/share/html/Search/Bulk.html
+++ b/rt/share/html/Search/Bulk.html
@@ -60,7 +60,7 @@
 
 <& /Elements/ListActions, actions => \@results &>
 <form method="post" action="<% RT->Config->Get('WebPath') %>/Search/Bulk.html" enctype="multipart/form-data">
-% foreach my $var qw(Query Format OrderBy Order Rows Page SavedChartSearchId) {
+% foreach my $var (qw(Query Format OrderBy Order Rows Page SavedChartSearchId)) {
 <input type="hidden" class="hidden" name="<%$var%>" value="<%$ARGS{$var} || ''%>" />
 %}
 <& /Elements/CollectionList, 
@@ -371,13 +371,13 @@ unless ( $ARGS{'AddMoreAttach'} ) {
         my @watchresults =
           ProcessTicketWatchers( TicketObj => $Ticket, ARGSRef => \%ARGS );
 
-        foreach my $type qw(MergeInto DependsOn MemberOf RefersTo) {
+        foreach my $type (qw(MergeInto DependsOn MemberOf RefersTo)) {
             $ARGS{ $Ticket->id . "-" . $type } = $ARGS{"Ticket-$type"};
             $ARGS{ $type . "-" . $Ticket->id } = $ARGS{"$type-Ticket"};
         }
         @linkresults =
           ProcessTicketLinks( TicketObj => $Ticket, ARGSRef => \%ARGS );
-        foreach my $type qw(MergeInto DependsOn MemberOf RefersTo) {
+        foreach my $type (qw(MergeInto DependsOn MemberOf RefersTo)) {
             delete $ARGS{ $type . "-" . $Ticket->id };
             delete $ARGS{ $Ticket->id . "-" . $type };
         }