5 files changed, 18 insertions, 9 deletions

diff --git a/rt/lib/RT/Interface/Web/Handler.pm b/rt/lib/RT/Interface/Web/Handler.pm
index 772fab0ca..4bb648451 100644
--- a/rt/lib/RT/Interface/Web/Handler.pm
+++ b/rt/lib/RT/Interface/Web/Handler.pm
@@ -260,6 +260,11 @@ sub CleanupRequest {
 
     %RT::Ticket::MERGE_CACHE = ( effective => {}, merged => {} );
 
+    # RT::System persists between requests, so its attributes cache has to be
+    # cleared manually. Without this, for example, subject tags across multiple
+    # processes will remain cached incorrectly
+    delete $RT::System->{attributes};
+
     # Explicitly remove any tmpfiles that GPG opened, and close their
     # filehandles.
     File::Temp::cleanup;
diff --git a/rt/lib/RT/Interface/Web/Menu/Item.pm b/rt/lib/RT/Interface/Web/Menu/Item.pm
index 5d8e67528..29fb13bcc 100644
--- a/rt/lib/RT/Interface/Web/Menu/Item.pm
+++ b/rt/lib/RT/Interface/Web/Menu/Item.pm
@@ -47,7 +47,8 @@
 # END BPS TAGGED BLOCK }}}
 
 package RT::Interface::Web::Menu::Item;
-
+use strict;
+use warnings;
 
 sub new {
     my $class = shift;
diff --git a/rt/lib/RT/Interface/Web/QueryBuilder.pm b/rt/lib/RT/Interface/Web/QueryBuilder.pm
index 6e462ec6f..09b95398c 100755
--- a/rt/lib/RT/Interface/Web/QueryBuilder.pm
+++ b/rt/lib/RT/Interface/Web/QueryBuilder.pm
@@ -51,9 +51,6 @@ package RT::Interface::Web::QueryBuilder;
 use strict;
 use warnings;
 
-eval "require RT::Interface::Web::QueryBuilder_Vendor";
-die $@ if ($@ && $@ !~ qr{^Can't locate RT/Interface/Web/QueryBuilder_Vendor.pm});
-eval "require RT::Interface::Web::QueryBuilder_Local";
-die $@ if ($@ && $@ !~ qr{^Can't locate RT/Interface/Web/QueryBuilder_Local.pm});
+RT::Base->_ImportOverlays();
 
 1;
diff --git a/rt/lib/RT/Interface/Web/QueryBuilder/Tree.pm b/rt/lib/RT/Interface/Web/QueryBuilder/Tree.pm
index f804e0968..493ab444d 100755
--- a/rt/lib/RT/Interface/Web/QueryBuilder/Tree.pm
+++ b/rt/lib/RT/Interface/Web/QueryBuilder/Tree.pm
@@ -285,9 +285,6 @@ sub ParseSQL {
     return @results;
 }
 
-eval "require RT::Interface::Web::QueryBuilder::Tree_Vendor";
-die $@ if ($@ && $@ !~ qr{^Can't locate RT/Interface/Web/QueryBuilder/Tree_Vendor.pm});
-eval "require RT::Interface::Web::QueryBuilder::Tree_Local";
-die $@ if ($@ && $@ !~ qr{^Can't locate RT/Interface/Web/QueryBuilder/Tree_Local.pm});
+RT::Base->_ImportOverlays();
 
 1;
diff --git a/rt/lib/RT/Interface/Web/Standalone.pm b/rt/lib/RT/Interface/Web/Standalone.pm
index 91dbac33b..3157e315e 100755
--- a/rt/lib/RT/Interface/Web/Standalone.pm
+++ b/rt/lib/RT/Interface/Web/Standalone.pm
@@ -77,6 +77,15 @@ sub handle_request {
 
     Module::Refresh->refresh if RT->Config->Get('DevelMode');
     RT::ConnectToDatabase() unless RT->InstallMode;
+
+    # Each environment has its own way of handling .. and so on in paths,
+    # so RT consistently forbids such paths.
+    if ( $cgi->path_info =~ m{/\.} ) {
+        $RT::Logger->crit("Invalid request for ".$cgi->path_info." aborting");
+        print STDOUT "HTTP/1.0 400\r\n\r\n";
+        return RT::Interface::Web::Handler->CleanupRequest();
+    }
+
     $self->SUPER::handle_request($cgi);
     $RT::Logger->crit($@) if $@ && $RT::Logger;
     warn $@ if $@ && !$RT::Logger;