diff options
author | Reed Loden <reed@reedloden.com> | 2012-08-31 07:48:17 +0200 |
---|---|---|
committer | Reed Loden <reed@reedloden.com> | 2012-08-31 07:48:17 +0200 |
commit | a456ec46452abaaaa5369c02886c7d5b03e592f3 (patch) | |
tree | 52e153ff5cf239589e5664b02c1ee1a794e82354 | |
parent | cc747ce58fb842897b45a67af40e178879cf384d (diff) | |
parent | 8714b6e62007c8de816a0b7f4e053e25c6de31c8 (diff) | |
download | bugzilla-a456ec46452abaaaa5369c02886c7d5b03e592f3.tar.gz bugzilla-a456ec46452abaaaa5369c02886c7d5b03e592f3.tar.xz |
Merge from bugzilla/4.2
25 files changed, 263 insertions, 70 deletions
@@ -1,5 +1,5 @@ # Don't allow people to retrieve non-cgi executable files or our private data -<FilesMatch ^(.*\.pm|.*\.pl|.*localconfig.*)$> +<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$> deny from all </FilesMatch> <IfModule mod_expires.c> diff --git a/Bugzilla/Auth/Verify/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm index cdc802ca0..0f10f9fbf 100644 --- a/Bugzilla/Auth/Verify/LDAP.pm +++ b/Bugzilla/Auth/Verify/LDAP.pm @@ -41,6 +41,7 @@ use Bugzilla::User; use Bugzilla::Util; use Net::LDAP; +use Net::LDAP::Util qw(escape_filter_value); use constant admin_can_create_account => 0; use constant user_can_create_account => 0; @@ -144,6 +145,7 @@ sub check_credentials { sub _bz_search_params { my ($username) = @_; + $username = escape_filter_value($username); return (base => Bugzilla->params->{"LDAPBaseDN"}, scope => "sub", filter => '(&(' . Bugzilla->params->{"LDAPuidattribute"} diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index ce89a9e6d..7f98c1653 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -180,6 +180,16 @@ sub clean_search_url { # Delete leftovers from the login form $self->delete('Bugzilla_remember', 'GoAheadAndLogIn'); + # Delete the token if we're not performing an action which needs it + unless ((defined $self->param('remtype') + && ($self->param('remtype') eq 'asdefault' + || $self->param('remtype') eq 'asnamed')) + || (defined $self->param('remaction') + && $self->param('remaction') eq 'forget')) + { + $self->delete("token"); + } + foreach my $num (1,2,3) { # If there's no value in the email field, delete the related fields. if (!$self->param("email$num")) { @@ -368,7 +378,7 @@ sub param { sub _fix_utf8 { my $input = shift; # The is_utf8 is here in case CGI gets smart about utf8 someday. - utf8::decode($input) if defined $input && !utf8::is_utf8($input); + utf8::decode($input) if defined $input && !ref $input && !utf8::is_utf8($input); return $input; } diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index efa1cde4e..aba988c18 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.2+"; +use constant BUGZILLA_VERSION => "4.2.3+"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; diff --git a/Bugzilla/DB/Oracle.pm b/Bugzilla/DB/Oracle.pm index 2cbd19a82..da263e084 100644 --- a/Bugzilla/DB/Oracle.pm +++ b/Bugzilla/DB/Oracle.pm @@ -310,8 +310,9 @@ sub adjust_statement { my $has_from = ($part =~ m/\bFROM\b/io) if $is_select; # Oracle recognizes CURRENT_DATE, but not CURRENT_DATE() - $part =~ s/\bCURRENT_DATE\b\(\)/CURRENT_DATE/io; - + # and its CURRENT_DATE is a date+time, so wrap in TRUNC() + $part =~ s/\bCURRENT_DATE\b(?:\(\))?/TRUNC(CURRENT_DATE)/io; + # Oracle use SUBSTR instead of SUBSTRING $part =~ s/\bSUBSTRING\b/SUBSTR/io; @@ -341,7 +342,8 @@ sub adjust_statement { if ($is_select and !$has_from); # Oracle recognizes CURRENT_DATE, but not CURRENT_DATE() - $nonstring =~ s/\bCURRENT_DATE\b\(\)/CURRENT_DATE/io; + # and its CURRENT_DATE is a date+time, so wrap in TRUNC() + $nonstring =~ s/\bCURRENT_DATE\b(?:\(\))?/TRUNC(CURRENT_DATE)/io; # Oracle use SUBSTR instead of SUBSTRING $nonstring =~ s/\bSUBSTRING\b/SUBSTR/io; @@ -635,11 +637,25 @@ sub bz_setup_database { $self->SUPER::bz_setup_database(@_); + my $sth = $self->prepare("SELECT OBJECT_NAME FROM USER_OBJECTS WHERE OBJECT_NAME = ?"); my @tables = $self->bz_table_list_real(); + foreach my $table (@tables) { my @columns = $self->bz_table_columns_real($table); foreach my $column (@columns) { my $def = $self->bz_column_info($table, $column); + # bz_add_column() before Bugzilla 4.2.3 didn't handle primary keys + # correctly (bug 731156). We have to add missing sequences and + # triggers ourselves. + if ($def->{TYPE} =~ /SERIAL/i) { + my $sequence = "${table}_${column}_SEQ"; + my $exists = $self->selectrow_array($sth, undef, $sequence); + if (!$exists) { + my @sql = $self->_get_create_seq_ddl($table, $column); + $self->do($_) foreach @sql; + } + } + if ($def->{REFERENCES}) { my $references = $def->{REFERENCES}; my $update = $references->{UPDATE} || 'CASCADE'; @@ -653,15 +669,13 @@ sub bz_setup_database { $to_table = 'tag'; } if ( $update =~ /CASCADE/i ){ - my $trigger_name = uc($fk_name . "_UC"); - my $exist_trigger = $self->selectcol_arrayref( - "SELECT OBJECT_NAME FROM USER_OBJECTS - WHERE OBJECT_NAME = ?", undef, $trigger_name); + my $trigger_name = uc($fk_name . "_UC"); + my $exist_trigger = $self->selectcol_arrayref($sth, undef, $trigger_name); if(@$exist_trigger) { $self->do("DROP TRIGGER $trigger_name"); } - my $tr_str = "CREATE OR REPLACE TRIGGER $trigger_name" + my $tr_str = "CREATE OR REPLACE TRIGGER $trigger_name" . " AFTER UPDATE OF $to_column ON $to_table " . " REFERENCING " . " NEW AS NEW " @@ -672,22 +686,46 @@ sub bz_setup_database { . " SET $column = :NEW.$to_column" . " WHERE $column = :OLD.$to_column;" . " END $trigger_name;"; - $self->do($tr_str); - } - } - } - } + $self->do($tr_str); + } + } + } + } # Drop the trigger which causes bug 541553 my $trigger_name = "PRODUCTS_MILESTONEURL"; - my $exist_trigger = $self->selectcol_arrayref( - "SELECT OBJECT_NAME FROM USER_OBJECTS - WHERE OBJECT_NAME = ?", undef, $trigger_name); + my $exist_trigger = $self->selectcol_arrayref($sth, undef, $trigger_name); if(@$exist_trigger) { $self->do("DROP TRIGGER $trigger_name"); } } +# These two methods have been copied from Bugzilla::DB::Schema::Oracle. +sub _get_create_seq_ddl { + my ($self, $table, $column) = @_; + + my $seq_name = "${table}_${column}_SEQ"; + my $seq_sql = "CREATE SEQUENCE $seq_name INCREMENT BY 1 START WITH 1 " . + "NOMAXVALUE NOCYCLE NOCACHE"; + my $trigger_sql = $self->_get_create_trigger_ddl($table, $column, $seq_name); + return ($seq_sql, $trigger_sql); +} + +sub _get_create_trigger_ddl { + my ($self, $table, $column, $seq_name) = @_; + + my $trigger_sql = "CREATE OR REPLACE TRIGGER ${table}_${column}_TR " + . " BEFORE INSERT ON $table " + . " FOR EACH ROW " + . " BEGIN " + . " SELECT ${seq_name}.NEXTVAL " + . " INTO :NEW.$column FROM DUAL; " + . " END;"; + return $trigger_sql; +} + +############################################################################ + package Bugzilla::DB::Oracle::st; use base qw(DBI::st); diff --git a/Bugzilla/DB/Schema/Oracle.pm b/Bugzilla/DB/Schema/Oracle.pm index f2d5b8be0..9fafc4515 100644 --- a/Bugzilla/DB/Schema/Oracle.pm +++ b/Bugzilla/DB/Schema/Oracle.pm @@ -199,6 +199,31 @@ sub _get_fk_name { return $fk_name; } +sub get_add_column_ddl { + my $self = shift; + my ($table, $column, $definition, $init_value) = @_; + my @sql; + + # Create sequences and triggers to emulate SERIAL datatypes. + if ($definition->{TYPE} =~ /SERIAL/i) { + # Clone the definition to not alter the original one. + my %def = %$definition; + # Oracle requires to define the column is several steps. + my $pk = delete $def{PRIMARYKEY}; + my $notnull = delete $def{NOTNULL}; + @sql = $self->SUPER::get_add_column_ddl($table, $column, \%def, $init_value); + push(@sql, $self->_get_create_seq_ddl($table, $column)); + push(@sql, "UPDATE $table SET $column = ${table}_${column}_SEQ.NEXTVAL"); + push(@sql, "ALTER TABLE $table MODIFY $column NOT NULL") if $notnull; + push(@sql, "ALTER TABLE $table ADD PRIMARY KEY ($column)") if $pk; + } + else { + @sql = $self->SUPER::get_add_column_ddl(@_); + } + + return @sql; +} + sub get_alter_column_ddl { my ($self, $table, $column, $new_def, $set_nulls_to) = @_; @@ -364,6 +389,29 @@ sub get_rename_column_ddl { return @sql; } +sub get_drop_column_ddl { + my $self = shift; + my ($table, $column) = @_; + my @sql; + push(@sql, $self->SUPER::get_drop_column_ddl(@_)); + my $dbh=Bugzilla->dbh; + my $trigger_name = uc($table . "_" . $column); + my $exist_trigger = $dbh->selectcol_arrayref( + "SELECT OBJECT_NAME FROM USER_OBJECTS + WHERE OBJECT_NAME = ?", undef, $trigger_name); + if(@$exist_trigger) { + push(@sql, "DROP TRIGGER $trigger_name"); + } + # If this column is of type SERIAL, we need to drop the sequence + # and trigger that went along with it. + my $def = $self->get_column_abstract($table, $column); + if ($def->{TYPE} =~ /SERIAL/i) { + push(@sql, "DROP SEQUENCE ${table}_${column}_SEQ"); + push(@sql, "DROP TRIGGER ${table}_${column}_TR"); + } + return @sql; +} + sub get_rename_table_sql { my ($self, $old_name, $new_name) = @_; if (lc($old_name) eq lc($new_name)) { @@ -465,20 +513,4 @@ sub get_set_serial_sql { return @sql; } -sub get_drop_column_ddl { - my $self = shift; - my ($table, $column) = @_; - my @sql; - push(@sql, $self->SUPER::get_drop_column_ddl(@_)); - my $dbh=Bugzilla->dbh; - my $trigger_name = uc($table . "_" . $column); - my $exist_trigger = $dbh->selectcol_arrayref( - "SELECT OBJECT_NAME FROM USER_OBJECTS - WHERE OBJECT_NAME = ?", undef, $trigger_name); - if(@$exist_trigger) { - push(@sql, "DROP TRIGGER $trigger_name"); - } - return @sql; -} - 1; diff --git a/Bugzilla/DB/Schema/Pg.pm b/Bugzilla/DB/Schema/Pg.pm index ef6e5671d..d21f5099c 100644 --- a/Bugzilla/DB/Schema/Pg.pm +++ b/Bugzilla/DB/Schema/Pg.pm @@ -90,6 +90,16 @@ sub _initialize { } #eosub--_initialize #-------------------------------------------------------------------- +sub get_create_database_sql { + my ($self, $name) = @_; + # We only create as utf8 if we have no params (meaning we're doing + # a new installation) or if the utf8 param is on. + my $create_utf8 = Bugzilla->params->{'utf8'} + || !defined Bugzilla->params->{'utf8'}; + my $charset = $create_utf8 ? "ENCODING 'UTF8' TEMPLATE template0" : ''; + return ("CREATE DATABASE $name $charset"); +} + sub get_rename_column_ddl { my ($self, $table, $old_name, $new_name) = @_; if (lc($old_name) eq lc($new_name)) { diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 8e70a9721..a4db2e05d 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -824,10 +824,19 @@ sub _add_extra_column { # These are the columns that we're going to be actually SELECTing. sub _display_columns { my ($self) = @_; - # Do not alter the list specified here at all, even if they are duplicated. - # Those are passed by the caller, and the caller expects to get them back - # in the exact same order. - $self->{display_columns} ||= [$self->_input_columns, $self->_extra_columns]; + return @{ $self->{display_columns} } if $self->{display_columns}; + + # Do not alter the list from _input_columns at all, even if there are + # duplicated columns. Those are passed by the caller, and the caller + # expects to get them back in the exact same order. + my @columns = $self->_input_columns; + + # Only add columns which are not already listed. + my %list = map { $_ => 1 } @columns; + foreach my $column ($self->_extra_columns) { + push(@columns, $column) unless $list{$column}++; + } + $self->{display_columns} = \@columns; return @{ $self->{display_columns} }; } @@ -2304,6 +2313,12 @@ sub _long_desc_changedbefore_after { }; push(@$joins, $join); $args->{term} = "$table.bug_when IS NOT NULL"; + + # If the user is not part of the insiders group, they cannot see + # private comments + if (!$self->_user->is_insider) { + $args->{term} .= " AND $table.isprivate = 0"; + } } sub _content_matches { @@ -2786,8 +2801,10 @@ sub _changedbefore_changedafter { extra => ["$table.fieldid = $field_id", "$table.bug_when $sql_operator $sql_date"], }; - push(@$joins, $join); + $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); } sub _changedfrom_changedto { @@ -2806,9 +2823,10 @@ sub _changedfrom_changedto { extra => ["$table.fieldid = $field_id", "$table.$column = $quoted"], }; - push(@$joins, $join); $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); } sub _changedby { @@ -2827,8 +2845,32 @@ sub _changedby { extra => ["$table.fieldid = $field_id", "$table.who = $user_id"], }; - push(@$joins, $join); + $args->{term} = "$table.bug_when IS NOT NULL"; + $self->_changed_security_check($args, $join); + push(@$joins, $join); +} + +sub _changed_security_check { + my ($self, $args, $join) = @_; + my ($chart_id, $field) = @$args{qw(chart_id field)}; + + my $field_object = $self->_chart_fields->{$field} + || ThrowCodeError("invalid_field_name", { field => $field }); + my $field_id = $field_object->id; + + # If the user is not part of the insiders group, they cannot see + # changes to attachments (including attachment flags) that are private + if ($field =~ /^(?:flagtypes\.name$|attach)/ and !$self->_user->is_insider) { + $join->{then_to} = { + as => "attach_${field_id}_$chart_id", + table => 'attachments', + from => "act_${field_id}_$chart_id.attach_id", + to => 'attach_id', + }; + + $args->{term} .= " AND COALESCE(attach_${field_id}_$chart_id.isprivate, 0) = 0"; + } } ###################### diff --git a/Bugzilla/Search/Saved.pm b/Bugzilla/Search/Saved.pm index fc773fcde..99194112a 100644 --- a/Bugzilla/Search/Saved.pm +++ b/Bugzilla/Search/Saved.pm @@ -109,7 +109,7 @@ sub check { if (!$search->shared_with_group or !$user->in_group($search->shared_with_group)) { - ThrowUserError('missing_query', { queryname => $search->name, + ThrowUserError('missing_query', { name => $search->name, sharer_id => $search->user->id }); } diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 9d736d585..0b4c1c867 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -1538,6 +1538,8 @@ sub match_field { my @logins; for my $query (@queries) { $query = trim($query); + next if $query eq ''; + my $users = match( $query, # match string $limit, # match limit diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index 6b5d8e3ef..e62ad0570 100644 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -2410,8 +2410,9 @@ B<STABLE> =item B<Description> This allows you to create a new bug in Bugzilla. If you specify any -invalid fields, they will be ignored. If you specify any fields you -are not allowed to set, they will just be set to their defaults or ignored. +invalid fields, an error will be thrown stating which field is invalid. +If you specify any fields you are not allowed to set, they will just be +set to their defaults or ignored. You cannot currently set all the items here that you can set on enter_bug.cgi. diff --git a/buglist.cgi b/buglist.cgi index b5872e05d..891fd66b4 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -214,7 +214,7 @@ sub LookupNamedQuery { Bugzilla->login(LOGIN_REQUIRED); my $query = Bugzilla::Search::Saved->check( - { user => $sharer_id, name => $name }); + { user => $sharer_id, name => $name, _error => 'missing_query' }); $query->url || ThrowUserError("buglist_parameters_required"); @@ -466,6 +466,8 @@ elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) { $user = Bugzilla->login(LOGIN_REQUIRED); my $token = $cgi->param('token'); check_hash_token($token, ['searchknob']); + $buffer = $params->canonicalise_query('cmdtype', 'remtype', + 'query_based_on', 'token'); InsertNamedQuery(DEFAULT_QUERY_NAME, $buffer); $vars->{'message'} = "buglist_new_default_query"; } diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml index d00055aa9..1ed72f64a 100644 --- a/docs/en/xml/Bugzilla-Guide.xml +++ b/docs/en/xml/Bugzilla-Guide.xml @@ -32,9 +32,9 @@ For a devel release, simple bump bz-ver and bz-date --> -<!ENTITY bz-ver "4.2.2"> +<!ENTITY bz-ver "4.2.3"> <!ENTITY bz-nextver "4.4"> -<!ENTITY bz-date "2012-07-26"> +<!ENTITY bz-date "2012-08-30"> <!ENTITY current-year "2012"> <!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-4.2-branch/"> diff --git a/js/custom-search.js b/js/custom-search.js index 0ee7d2488..73897035d 100644 --- a/js/custom-search.js +++ b/js/custom-search.js @@ -146,7 +146,15 @@ function fix_query_string(form_member) { return; var form = YAHOO.util.Dom.getAncestorByTagName(form_member, 'form'); + // Disable the token field so setForm doesn't include it + var reenable_token = false; + if (form['token'] && !form['token'].disabled) { + form['token'].disabled = true; + reenable_token = true; + } var query = YAHOO.util.Connect.setForm(form); + if (reenable_token) + form['token'].disabled = false; window.History.replaceState(null, document.title, '?' + query); } diff --git a/skins/contrib/Dusk/global.css b/skins/contrib/Dusk/global.css index e1f8afda1..33f28965c 100644 --- a/skins/contrib/Dusk/global.css +++ b/skins/contrib/Dusk/global.css @@ -34,8 +34,8 @@ body, td, th, input { /* page title */ #titles { - -moz-border-radius-topleft: 5px; - -moz-border-radius-topright: 5px; + border-top-left-radius: 5px; + border-top-right-radius: 5px; } #header .links, #footer { @@ -44,8 +44,8 @@ body, td, th, input { } #header { - -moz-border-radius-bottomleft: 5px; - -moz-border-radius-bottomright: 5px; + border-bottom-left-radius: 5px; + border-bottom-right-radius: 5px; border: none; } @@ -65,7 +65,7 @@ body, td, th, input { border: 1px solid #747e93; padding: 10px; font-size: 10pt; - -moz-border-radius: 5px; + border-radius: 5px; } a { @@ -178,7 +178,7 @@ hr { #footer { border: 1px solid #747e93; width: 100%; - -moz-border-radius: 5px; + border-radius: 5px; } #footer #links-actions, diff --git a/skins/standard/global.css b/skins/standard/global.css index f95d4e644..f50ccd02d 100644 --- a/skins/standard/global.css +++ b/skins/standard/global.css @@ -55,8 +55,8 @@ border-left: 1px solid #747E93; border-right: 1px solid #747E93; border-bottom: 1px solid #747E93; - -moz-border-radius-bottomleft: 5px; - -moz-border-radius-bottomright: 5px; + border-bottom-left-radius: 5px; + border-bottom-right-radius: 5px; padding: 0.5em; } @@ -105,8 +105,8 @@ width: 100%; background-color: #404D6C; color: #fff; - -moz-border-radius-topleft: 5px; - -moz-border-radius-topright: 5px; + border-top-left-radius: 5px; + border-top-right-radius: 5px; font-size: 110%; margin: 0; padding: 0.5em; diff --git a/skins/standard/show_bug.css b/skins/standard/show_bug.css index 99c0b405e..8214ce5f4 100644 --- a/skins/standard/show_bug.css +++ b/skins/standard/show_bug.css @@ -2,7 +2,7 @@ margin: 8px 0; padding: 0.3em; background-color: rgb(208, 208, 208); - -moz-border-radius: 0.5em; + border-radius: 0.5em; font-size: 125%; font-weight: bold; } diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl index 606e5c32e..6b41c17e3 100644 --- a/template/en/default/account/auth/login-small.html.tmpl +++ b/template/en/default/account/auth/login-small.html.tmpl @@ -36,8 +36,8 @@ [% IF cgi.request_method == "GET" AND cgi.query_string %] [% connector = "&" %] [% END %] - [% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %] - <a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]" + [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %] + <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]" onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a> [% Hook.process('additional_methods') %] @@ -116,7 +116,7 @@ </li> <li id="forgot_container[% qs_suffix %]"> <span class="separator">| </span> - <a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot" + <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot" onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a> <form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]" class="mini_forgot bz_default_hidden"> @@ -125,6 +125,7 @@ <input id="forgot_button[% qs_suffix %]" value="Reset Password" type="submit"> <input type="hidden" name="a" value="reqpw"> + <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]"> <a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a> </form> </li> diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl index ec8c11e24..0aac403a5 100644 --- a/template/en/default/account/auth/login.html.tmpl +++ b/template/en/default/account/auth/login.html.tmpl @@ -115,6 +115,7 @@ enter your email address below and submit a request to change your password.<br> <input size="35" name="loginname"> + <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]"> <input type="submit" id="request" value="Reset Password"> </form> [% END %] diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl index ff2620589..99f06ec9d 100644 --- a/template/en/default/filterexceptions.pl +++ b/template/en/default/filterexceptions.pl @@ -153,7 +153,6 @@ 'list/table.html.tmpl' => [ 'tableheader', 'bug.bug_id', - 'abbrev.$id.title || field_descs.$id || column.title', ], 'list/list.csv.tmpl' => [ diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index f448ee4d4..b3257cea5 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1179,7 +1179,7 @@ [% title = "Missing Search" %] [% docslinks = {'query.html' => "Searching for $terms.bugs", 'query.html#list' => "$terms.Bug lists"} %] - The search named <em>[% queryname FILTER html %]</em> + The search named <em>[% name FILTER html %]</em> [% IF sharer_id && sharer_id != user.id %] has not been made visible to you. [% ELSE %] diff --git a/template/en/default/list/table.html.tmpl b/template/en/default/list/table.html.tmpl index c2964f17c..547a9cbe3 100644 --- a/template/en/default/list/table.html.tmpl +++ b/template/en/default/list/table.html.tmpl @@ -139,7 +139,7 @@ [% PROCESS new_order %] [%-#%]&query_based_on= [% defaultsavename OR searchname FILTER uri %]"> - [%- abbrev.$id.title || field_descs.$id || column.title -%] + [%- abbrev.$id.title || field_descs.$id || column.title FILTER html -%] [% PROCESS order_arrow ~%] </a> </th> diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index 11c5d5460..35963148a 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -53,6 +53,44 @@ <h2 id="v42_point">Updates in this 4.2.x Release</h2> +<h3>4.2.3</h3> + +<p>This release fixes two security issues. See the + <a href="http://www.bugzilla.org/security/3.6.10/">Security Advisory</a> + for details.</p> + +<p>In addition, the following important fixes/changes have been made in this + release:</p> + +<ul> + <li>Attaching a file to [% terms.abug %] was broken due to a change in + Perl 5.16. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=771100">[% terms.Bug %] 771100</a>)</li> + <li>A regression in [% terms.Bugzilla %] 4.2.2 made Oracle crash when + displaying a buglist. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=780028">[% terms.Bug %] 780028</a>)</li> + <li>It was possible to search on history for comments and attachments you + cannot see (though these private comments and attachments are never disclosed). + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=779709">[% terms.Bug %] 779709</a>)</li> + <li>PostgreSQL databases could be created with the wrong encoding despite + the utf8 parameter being enabled. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=783786">[% terms.Bug %] 783786</a>)</li> + <li>Scheduled whines could be sent at the wrong time on Oracle. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=559539">[% terms.Bug %] 559539</a>)</li> + <li>Tokens are no longer included in saved queries. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=772953">[% terms.Bug %] 772953</a>)</li> + <li>An admin could unintentionally break the display of buglists if a custom + field description contains a < or > character, because these characters + were not filtered. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=785917">[% terms.Bug %] 785917</a>)</li> + <li>Adding or removing a DB column in Oracle didn't handle SERIAL columns + correctly. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=731156">[% terms.Bug %] 731156</a>)</li> + <li>A minor CSRF vulnerability in token.cgi allowed possible unauthorized + password reset e-mail requests. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=706271">[% terms.Bug %] 706271</a>)</li> +</ul> + <h3>4.2.2</h3> <p>This release fixes two security issues. See the @@ -432,6 +470,9 @@ [%- terms.Bug %] 584742</a>: When viewing [% terms.abug %], WebKit-based browsers can automatically reset a field's selected value when the field has disabled values.</li> + <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=780053"> + [%- terms.Bug %] 780053</a>: Oracle crashes when listing keywords, tags + or flags in buglists.</li> </ul> diff --git a/template/en/default/search/search-advanced.html.tmpl b/template/en/default/search/search-advanced.html.tmpl index 2236bf5d2..780d54edd 100644 --- a/template/en/default/search/search-advanced.html.tmpl +++ b/template/en/default/search/search-advanced.html.tmpl @@ -31,12 +31,11 @@ [% js_data = BLOCK %] -var queryform = "queryform" - +var queryform = "queryform"; function remove_token() { - var asDefault = document.getElementById('remasdefault'); - if (queryform.token && asDefault && !asDefault.checked) { - queryform.token.value = ''; + if (queryform.token) { + var asDefault = document.getElementById('remasdefault'); + queryform.token.disabled = !asDefault.checked; } } [% END %] @@ -108,6 +108,11 @@ if ( $action eq 'reqpw' ) { ThrowUserError("password_change_requests_not_allowed"); } + # Check the hash token to make sure this user actually submitted + # the forgotten password form. + my $token = $cgi->param('token'); + check_hash_token($token, ['reqpw']); + validate_email_syntax($login_name) || ThrowUserError('illegal_email_address', {addr => $login_name}); |