diff options
| author | Dave Lawrence <dlawrence@mozilla.com> | 2012-08-01 21:46:01 +0200 |
|---|---|---|
| committer | Dave Lawrence <dlawrence@mozilla.com> | 2012-08-01 21:46:01 +0200 |
| commit | 8be9a1d8b3764e5edc1bf8445b3e7bde5392e23d (patch) | |
| tree | e97840381f79639dc9a22d20d91fe154f546f952 | |
| parent | a45e86a994221a2feff4cfeef8f9020671f012eb (diff) | |
| parent | f6d6091eadb373ed11ed67ddf30821698c2cec9f (diff) | |
| download | bugzilla-8be9a1d8b3764e5edc1bf8445b3e7bde5392e23d.tar.gz bugzilla-8be9a1d8b3764e5edc1bf8445b3e7bde5392e23d.tar.xz | |
merged with bugzilla/4.2
| -rw-r--r-- | Bugzilla/Constants.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/Hook.pm | 6 | ||||
| -rw-r--r-- | Bugzilla/Template.pm | 32 | ||||
| -rw-r--r-- | Bugzilla/User.pm | 2 | ||||
| -rw-r--r-- | docs/en/xml/Bugzilla-Guide.xml | 4 | ||||
| -rw-r--r-- | template/en/default/email/bugmail.html.tmpl | 21 | ||||
| -rw-r--r-- | template/en/default/pages/release-notes.html.tmpl | 42 |
7 files changed, 81 insertions, 28 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index d0770cf73..efa1cde4e 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.1+"; +use constant BUGZILLA_VERSION => "4.2.2+"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; diff --git a/Bugzilla/Hook.pm b/Bugzilla/Hook.pm index da17946c0..c658989a0 100644 --- a/Bugzilla/Hook.pm +++ b/Bugzilla/Hook.pm @@ -426,6 +426,12 @@ Sometimes this is C<undef>, meaning that we are parsing text that is not a bug comment (but could still be some other part of a bug, like the summary line). +=item C<user> + +The L<Bugzilla::User> object representing the user who will see the text. +This is useful to determine how much confidential information can be displayed +to the user. + =back =head2 buglist_columns diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 870053b46..245d881d3 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -153,8 +153,9 @@ sub get_format { # If you want to modify this routine, read the comments carefully sub quoteUrls { - my ($text, $bug, $comment) = (@_); + my ($text, $bug, $comment, $user) = @_; return $text unless $text; + $user ||= Bugzilla->user; # We use /g for speed, but uris can have other things inside them # (http://foo/bug#3 for example). Filtering that out filters valid @@ -184,7 +185,7 @@ sub quoteUrls { my @hook_regexes; Bugzilla::Hook::process('bug_format_comment', { text => \$text, bug => $bug, regexes => \@hook_regexes, - comment => $comment }); + comment => $comment, user => $user }); foreach my $re (@hook_regexes) { my ($match, $replace) = @$re{qw(match replace)}; @@ -206,7 +207,7 @@ sub quoteUrls { map { qr/$_/ } grep($_, Bugzilla->params->{'urlbase'}, Bugzilla->params->{'sslbase'})) . ')'; $text =~ s~\b(${urlbase_re}\Qshow_bug.cgi?id=\E([0-9]+)(\#c([0-9]+))?)\b - ~($things[$count++] = get_bug_link($3, $1, { comment_num => $5 })) && + ~($things[$count++] = get_bug_link($3, $1, { comment_num => $5, user => $user })) && ("\0\0" . ($count-1) . "\0\0") ~egox; @@ -236,7 +237,7 @@ sub quoteUrls { # attachment links # BMO: Bug 652332 dkl@mozilla.com 2011-07-20 $text =~ s~\b(attachment\s*\#?\s*(\d+)(?:\s+\[diff\])?(?:\s+\[details\])?) - ~($things[$count++] = get_attachment_link($2, $1)) && + ~($things[$count++] = get_attachment_link($2, $1, $user)) && ("\0\0" . ($count-1) . "\0\0") ~egmxi; @@ -253,7 +254,7 @@ sub quoteUrls { $text =~ s~\b($bug_re(?:\s*,?\s*$comment_re)?|$comment_re) ~ # We have several choices. $1 here is the link, and $2-4 are set # depending on which part matched - (defined($2) ? get_bug_link($2, $1, { comment_num => $3 }) : + (defined($2) ? get_bug_link($2, $1, { comment_num => $3, user => $user }) : "<a href=\"$current_bugurl#c$4\">$1</a>") ~egox; @@ -262,7 +263,7 @@ sub quoteUrls { $text =~ s~(?<=^\*\*\*\ This\ bug\ has\ been\ marked\ as\ a\ duplicate\ of\ ) (\d+) (?=\ \*\*\*\Z) - ~get_bug_link($1, $1) + ~get_bug_link($1, $1, { user => $user }) ~egmx; # Now remove the encoding hacks in reverse order @@ -276,15 +277,18 @@ sub quoteUrls { # Creates a link to an attachment, including its title. sub get_attachment_link { - my ($attachid, $link_text) = @_; + my ($attachid, $link_text, $user) = @_; my $dbh = Bugzilla->dbh; + $user ||= Bugzilla->user; my $attachment = new Bugzilla::Attachment($attachid); if ($attachment) { my $title = ""; my $className = ""; - if (Bugzilla->user->can_see_bug($attachment->bug_id)) { + if ($user->can_see_bug($attachment->bug_id) + && (!$attachment->isprivate || $user->is_insider)) + { $title = $attachment->description; } if ($attachment->isobsolete) { @@ -326,6 +330,7 @@ sub get_attachment_link { sub get_bug_link { my ($bug, $link_text, $options) = @_; $options ||= {}; + $options->{user} ||= Bugzilla->user; my $dbh = Bugzilla->dbh; if (defined $bug) { @@ -714,10 +719,10 @@ sub create { clean_text => \&Bugzilla::Util::clean_text , quoteUrls => [ sub { - my ($context, $bug, $comment) = @_; + my ($context, $bug, $comment, $user) = @_; return sub { my $text = shift; - return quoteUrls($text, $bug, $comment); + return quoteUrls($text, $bug, $comment, $user); }; }, 1 @@ -733,10 +738,9 @@ sub create { 1 ], - bug_list_link => sub - { - my $buglist = shift; - return join(", ", map(get_bug_link($_, $_), split(/ *, */, $buglist))); + bug_list_link => sub { + my ($buglist, $options) = @_; + return join(", ", map(get_bug_link($_, $_, $options), split(/ *, */, $buglist))); }, # In CSV, quotes are doubled, and any value containing a quote or a diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 60dbb5f83..9d736d585 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -1079,7 +1079,7 @@ sub get_accessible_products { @{$self->get_selectable_products}, @{$self->get_enterable_products}; - return [ values %products ]; + return [ sort { $a->name cmp $b->name } values %products ]; } sub check_can_admin_product { diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml index bfb1146d9..d00055aa9 100644 --- a/docs/en/xml/Bugzilla-Guide.xml +++ b/docs/en/xml/Bugzilla-Guide.xml @@ -32,9 +32,9 @@ For a devel release, simple bump bz-ver and bz-date --> -<!ENTITY bz-ver "4.2.1"> +<!ENTITY bz-ver "4.2.2"> <!ENTITY bz-nextver "4.4"> -<!ENTITY bz-date "2012-04-18"> +<!ENTITY bz-date "2012-07-26"> <!ENTITY current-year "2012"> <!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-4.2-branch/"> diff --git a/template/en/default/email/bugmail.html.tmpl b/template/en/default/email/bugmail.html.tmpl index 92174fb3b..3d1c291a2 100644 --- a/template/en/default/email/bugmail.html.tmpl +++ b/template/en/default/email/bugmail.html.tmpl @@ -31,12 +31,12 @@ [% FOREACH comment = new_comments.reverse %] <div> [% IF comment.count %] - <b>[% "Comment # ${comment.count}" FILTER bug_link( bug, - {comment_num => comment.count, full_url => 1}) FILTER none %] - on [% "$terms.bug $bug.id" FILTER bug_link( bug, { full_url => 1 }) FILTER none %] + <b>[% "Comment # ${comment.count}" FILTER bug_link(bug, + {comment_num => comment.count, full_url => 1, user => to_user}) FILTER none %] + on [% "$terms.bug $bug.id" FILTER bug_link(bug, { full_url => 1, user => to_user }) FILTER none %] from [% INCLUDE global/user.html.tmpl who = comment.author %]</b> [% END %] - <pre>[% comment.body_full({ wrap => 1 }) FILTER quoteUrls(bug, comment) %]</pre> + <pre>[% comment.body_full({ wrap => 1 }) FILTER quoteUrls(bug, comment, to_user) %]</pre> </div> [% END %] </p> @@ -84,13 +84,14 @@ [% SET in_table = 0 %] [% END %] [% IF change.blocker %] - [% "${terms.Bug} ${bug.id}" FILTER bug_link(bug, full_url => 1) FILTER none %] depends - on [% "${terms.bug} ${change.blocker.id}" - FILTER bug_link(change.blocker, full_url => 1) FILTER none %], + [% "${terms.Bug} ${bug.id}" FILTER bug_link(bug, {full_url => 1, user => to_user}) FILTER none %] + depends on + [%+ "${terms.bug} ${change.blocker.id}" + FILTER bug_link(change.blocker, {full_url => 1, user => to_user}) FILTER none %], which changed state. [% ELSE %] - [% INCLUDE global/user.html.tmpl who = change.who %] - changed [% "${terms.Bug} ${bug.id}" FILTER bug_link(bug, full_url => 1) FILTER none %] + [% INCLUDE global/user.html.tmpl who = change.who %] changed + [%+ "${terms.bug} ${bug.id}" FILTER bug_link(bug, {full_url => 1, user => to_user}) FILTER none %] [% END %] <br> [% IF in_table == 0 %] @@ -114,7 +115,7 @@ <th>[% field_label FILTER html %]</th> <td> [% IF change.field_name == "bug_id" %] - [% new_value FILTER bug_link(bug, full_url => 1) FILTER none %] + [% new_value FILTER bug_link(bug, {full_url => 1, user => to_user}) FILTER none %] [% ELSE %] [% new_value FILTER html %] [% END %] diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index 3cba64406..11c5d5460 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -53,6 +53,48 @@ <h2 id="v42_point">Updates in this 4.2.x Release</h2> +<h3>4.2.2</h3> + +<p>This release fixes two security issues. See the + <a href="http://www.bugzilla.org/security/3.6.9/">Security Advisory</a> + for details.</p> + +<p>In addition, the following important fixes/changes have been made in this + release:</p> + +<ul> + <li>A regression introduced in [% terms.Bugzilla %] 4.0 caused some login + names to be ignored when entered in the CC list of [% terms.bugs %]. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=756314">[% terms.Bug %] 756314</a>)</li> + <li>Some queries could trigger an invalid SQL query if strings entered by + the user contained leading or trailing whitespaces. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=760075">[% terms.Bug %] 760075</a>)</li> + <li>The auto-completion form for keywords no longer automatically selects + the first keyword in the list when the field is empty. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=764517">[% terms.Bug %] 764517</a>)</li> + <li>A regression in [% terms.Bugzilla %] 4.2 prevented classifications + from being used in graphical and tabular reports in the "Multiple Tables" + field. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=753688">[% terms.Bug %] 753688</a>)</li> + <li>Attachments created by the <kbd>email_in.pl</kbd> script were associated + to the wrong comment. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=762785">[% terms.Bug %] 762785</a>)</li> + <li>Very long dependency lists can now be viewed correctly. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=762783">[% terms.Bug %] 762783</a>)</li> + <li>Keywords are now correctly escaped in the auto-completion form to prevent + any XSS abuse. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=754561">[% terms.Bug %] 754561</a>)</li> + <li>A regression introduced in [% terms.Bugzilla %] 4.0rc2 when fixing + CVE-2011-0046 caused the "Un-forget the search" link to not work correctly + anymore when restoring a deleted saved search, because this link was + lacking a valid token. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=768870">[% terms.Bug %] 768870</a>)</li> + <li>Two minor CSRF vulnerabilities have been fixed which could let an attacker + alter your default search criteria in the Advanced Search page. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=754672">[% terms.Bugs %] 754672</a> + and <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=754673">754673</a>)</li> +</ul> + <h3>4.2.1</h3> <p>This release fixes two security issues. See the |