summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReed Loden <reed@reedloden.com>2012-08-31 07:48:17 +0200
committerReed Loden <reed@reedloden.com>2012-08-31 07:48:17 +0200
commita456ec46452abaaaa5369c02886c7d5b03e592f3 (patch)
tree52e153ff5cf239589e5664b02c1ee1a794e82354
parentcc747ce58fb842897b45a67af40e178879cf384d (diff)
parent8714b6e62007c8de816a0b7f4e053e25c6de31c8 (diff)
downloadbugzilla-a456ec46452abaaaa5369c02886c7d5b03e592f3.tar.gz
bugzilla-a456ec46452abaaaa5369c02886c7d5b03e592f3.tar.xz
Merge from bugzilla/4.2
-rw-r--r--.htaccess2
-rw-r--r--Bugzilla/Auth/Verify/LDAP.pm2
-rw-r--r--Bugzilla/CGI.pm12
-rw-r--r--Bugzilla/Constants.pm2
-rw-r--r--Bugzilla/DB/Oracle.pm70
-rw-r--r--Bugzilla/DB/Schema/Oracle.pm64
-rw-r--r--Bugzilla/DB/Schema/Pg.pm10
-rw-r--r--Bugzilla/Search.pm56
-rw-r--r--Bugzilla/Search/Saved.pm2
-rw-r--r--Bugzilla/User.pm2
-rw-r--r--Bugzilla/WebService/Bug.pm5
-rwxr-xr-xbuglist.cgi4
-rw-r--r--docs/en/xml/Bugzilla-Guide.xml4
-rw-r--r--js/custom-search.js8
-rw-r--r--skins/contrib/Dusk/global.css12
-rw-r--r--skins/standard/global.css8
-rw-r--r--skins/standard/show_bug.css2
-rw-r--r--template/en/default/account/auth/login-small.html.tmpl7
-rw-r--r--template/en/default/account/auth/login.html.tmpl1
-rw-r--r--template/en/default/filterexceptions.pl1
-rw-r--r--template/en/default/global/user-error.html.tmpl2
-rw-r--r--template/en/default/list/table.html.tmpl2
-rw-r--r--template/en/default/pages/release-notes.html.tmpl41
-rw-r--r--template/en/default/search/search-advanced.html.tmpl9
-rwxr-xr-xtoken.cgi5
25 files changed, 263 insertions, 70 deletions
diff --git a/.htaccess b/.htaccess
index f201b00cd..02b7411dd 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,5 +1,5 @@
# Don't allow people to retrieve non-cgi executable files or our private data
-<FilesMatch ^(.*\.pm|.*\.pl|.*localconfig.*)$>
+<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
deny from all
</FilesMatch>
<IfModule mod_expires.c>
diff --git a/Bugzilla/Auth/Verify/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm
index cdc802ca0..0f10f9fbf 100644
--- a/Bugzilla/Auth/Verify/LDAP.pm
+++ b/Bugzilla/Auth/Verify/LDAP.pm
@@ -41,6 +41,7 @@ use Bugzilla::User;
use Bugzilla::Util;
use Net::LDAP;
+use Net::LDAP::Util qw(escape_filter_value);
use constant admin_can_create_account => 0;
use constant user_can_create_account => 0;
@@ -144,6 +145,7 @@ sub check_credentials {
sub _bz_search_params {
my ($username) = @_;
+ $username = escape_filter_value($username);
return (base => Bugzilla->params->{"LDAPBaseDN"},
scope => "sub",
filter => '(&(' . Bugzilla->params->{"LDAPuidattribute"}
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index ce89a9e6d..7f98c1653 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -180,6 +180,16 @@ sub clean_search_url {
# Delete leftovers from the login form
$self->delete('Bugzilla_remember', 'GoAheadAndLogIn');
+ # Delete the token if we're not performing an action which needs it
+ unless ((defined $self->param('remtype')
+ && ($self->param('remtype') eq 'asdefault'
+ || $self->param('remtype') eq 'asnamed'))
+ || (defined $self->param('remaction')
+ && $self->param('remaction') eq 'forget'))
+ {
+ $self->delete("token");
+ }
+
foreach my $num (1,2,3) {
# If there's no value in the email field, delete the related fields.
if (!$self->param("email$num")) {
@@ -368,7 +378,7 @@ sub param {
sub _fix_utf8 {
my $input = shift;
# The is_utf8 is here in case CGI gets smart about utf8 someday.
- utf8::decode($input) if defined $input && !utf8::is_utf8($input);
+ utf8::decode($input) if defined $input && !ref $input && !utf8::is_utf8($input);
return $input;
}
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index efa1cde4e..aba988c18 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -202,7 +202,7 @@ use Memoize;
# CONSTANTS
#
# Bugzilla version
-use constant BUGZILLA_VERSION => "4.2.2+";
+use constant BUGZILLA_VERSION => "4.2.3+";
# Location of the remote and local XML files to track new releases.
use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml';
diff --git a/Bugzilla/DB/Oracle.pm b/Bugzilla/DB/Oracle.pm
index 2cbd19a82..da263e084 100644
--- a/Bugzilla/DB/Oracle.pm
+++ b/Bugzilla/DB/Oracle.pm
@@ -310,8 +310,9 @@ sub adjust_statement {
my $has_from = ($part =~ m/\bFROM\b/io) if $is_select;
# Oracle recognizes CURRENT_DATE, but not CURRENT_DATE()
- $part =~ s/\bCURRENT_DATE\b\(\)/CURRENT_DATE/io;
-
+ # and its CURRENT_DATE is a date+time, so wrap in TRUNC()
+ $part =~ s/\bCURRENT_DATE\b(?:\(\))?/TRUNC(CURRENT_DATE)/io;
+
# Oracle use SUBSTR instead of SUBSTRING
$part =~ s/\bSUBSTRING\b/SUBSTR/io;
@@ -341,7 +342,8 @@ sub adjust_statement {
if ($is_select and !$has_from);
# Oracle recognizes CURRENT_DATE, but not CURRENT_DATE()
- $nonstring =~ s/\bCURRENT_DATE\b\(\)/CURRENT_DATE/io;
+ # and its CURRENT_DATE is a date+time, so wrap in TRUNC()
+ $nonstring =~ s/\bCURRENT_DATE\b(?:\(\))?/TRUNC(CURRENT_DATE)/io;
# Oracle use SUBSTR instead of SUBSTRING
$nonstring =~ s/\bSUBSTRING\b/SUBSTR/io;
@@ -635,11 +637,25 @@ sub bz_setup_database {
$self->SUPER::bz_setup_database(@_);
+ my $sth = $self->prepare("SELECT OBJECT_NAME FROM USER_OBJECTS WHERE OBJECT_NAME = ?");
my @tables = $self->bz_table_list_real();
+
foreach my $table (@tables) {
my @columns = $self->bz_table_columns_real($table);
foreach my $column (@columns) {
my $def = $self->bz_column_info($table, $column);
+ # bz_add_column() before Bugzilla 4.2.3 didn't handle primary keys
+ # correctly (bug 731156). We have to add missing sequences and
+ # triggers ourselves.
+ if ($def->{TYPE} =~ /SERIAL/i) {
+ my $sequence = "${table}_${column}_SEQ";
+ my $exists = $self->selectrow_array($sth, undef, $sequence);
+ if (!$exists) {
+ my @sql = $self->_get_create_seq_ddl($table, $column);
+ $self->do($_) foreach @sql;
+ }
+ }
+
if ($def->{REFERENCES}) {
my $references = $def->{REFERENCES};
my $update = $references->{UPDATE} || 'CASCADE';
@@ -653,15 +669,13 @@ sub bz_setup_database {
$to_table = 'tag';
}
if ( $update =~ /CASCADE/i ){
- my $trigger_name = uc($fk_name . "_UC");
- my $exist_trigger = $self->selectcol_arrayref(
- "SELECT OBJECT_NAME FROM USER_OBJECTS
- WHERE OBJECT_NAME = ?", undef, $trigger_name);
+ my $trigger_name = uc($fk_name . "_UC");
+ my $exist_trigger = $self->selectcol_arrayref($sth, undef, $trigger_name);
if(@$exist_trigger) {
$self->do("DROP TRIGGER $trigger_name");
}
- my $tr_str = "CREATE OR REPLACE TRIGGER $trigger_name"
+ my $tr_str = "CREATE OR REPLACE TRIGGER $trigger_name"
. " AFTER UPDATE OF $to_column ON $to_table "
. " REFERENCING "
. " NEW AS NEW "
@@ -672,22 +686,46 @@ sub bz_setup_database {
. " SET $column = :NEW.$to_column"
. " WHERE $column = :OLD.$to_column;"
. " END $trigger_name;";
- $self->do($tr_str);
- }
- }
- }
- }
+ $self->do($tr_str);
+ }
+ }
+ }
+ }
# Drop the trigger which causes bug 541553
my $trigger_name = "PRODUCTS_MILESTONEURL";
- my $exist_trigger = $self->selectcol_arrayref(
- "SELECT OBJECT_NAME FROM USER_OBJECTS
- WHERE OBJECT_NAME = ?", undef, $trigger_name);
+ my $exist_trigger = $self->selectcol_arrayref($sth, undef, $trigger_name);
if(@$exist_trigger) {
$self->do("DROP TRIGGER $trigger_name");
}
}
+# These two methods have been copied from Bugzilla::DB::Schema::Oracle.
+sub _get_create_seq_ddl {
+ my ($self, $table, $column) = @_;
+
+ my $seq_name = "${table}_${column}_SEQ";
+ my $seq_sql = "CREATE SEQUENCE $seq_name INCREMENT BY 1 START WITH 1 " .
+ "NOMAXVALUE NOCYCLE NOCACHE";
+ my $trigger_sql = $self->_get_create_trigger_ddl($table, $column, $seq_name);
+ return ($seq_sql, $trigger_sql);
+}
+
+sub _get_create_trigger_ddl {
+ my ($self, $table, $column, $seq_name) = @_;
+
+ my $trigger_sql = "CREATE OR REPLACE TRIGGER ${table}_${column}_TR "
+ . " BEFORE INSERT ON $table "
+ . " FOR EACH ROW "
+ . " BEGIN "
+ . " SELECT ${seq_name}.NEXTVAL "
+ . " INTO :NEW.$column FROM DUAL; "
+ . " END;";
+ return $trigger_sql;
+}
+
+############################################################################
+
package Bugzilla::DB::Oracle::st;
use base qw(DBI::st);
diff --git a/Bugzilla/DB/Schema/Oracle.pm b/Bugzilla/DB/Schema/Oracle.pm
index f2d5b8be0..9fafc4515 100644
--- a/Bugzilla/DB/Schema/Oracle.pm
+++ b/Bugzilla/DB/Schema/Oracle.pm
@@ -199,6 +199,31 @@ sub _get_fk_name {
return $fk_name;
}
+sub get_add_column_ddl {
+ my $self = shift;
+ my ($table, $column, $definition, $init_value) = @_;
+ my @sql;
+
+ # Create sequences and triggers to emulate SERIAL datatypes.
+ if ($definition->{TYPE} =~ /SERIAL/i) {
+ # Clone the definition to not alter the original one.
+ my %def = %$definition;
+ # Oracle requires to define the column is several steps.
+ my $pk = delete $def{PRIMARYKEY};
+ my $notnull = delete $def{NOTNULL};
+ @sql = $self->SUPER::get_add_column_ddl($table, $column, \%def, $init_value);
+ push(@sql, $self->_get_create_seq_ddl($table, $column));
+ push(@sql, "UPDATE $table SET $column = ${table}_${column}_SEQ.NEXTVAL");
+ push(@sql, "ALTER TABLE $table MODIFY $column NOT NULL") if $notnull;
+ push(@sql, "ALTER TABLE $table ADD PRIMARY KEY ($column)") if $pk;
+ }
+ else {
+ @sql = $self->SUPER::get_add_column_ddl(@_);
+ }
+
+ return @sql;
+}
+
sub get_alter_column_ddl {
my ($self, $table, $column, $new_def, $set_nulls_to) = @_;
@@ -364,6 +389,29 @@ sub get_rename_column_ddl {
return @sql;
}
+sub get_drop_column_ddl {
+ my $self = shift;
+ my ($table, $column) = @_;
+ my @sql;
+ push(@sql, $self->SUPER::get_drop_column_ddl(@_));
+ my $dbh=Bugzilla->dbh;
+ my $trigger_name = uc($table . "_" . $column);
+ my $exist_trigger = $dbh->selectcol_arrayref(
+ "SELECT OBJECT_NAME FROM USER_OBJECTS
+ WHERE OBJECT_NAME = ?", undef, $trigger_name);
+ if(@$exist_trigger) {
+ push(@sql, "DROP TRIGGER $trigger_name");
+ }
+ # If this column is of type SERIAL, we need to drop the sequence
+ # and trigger that went along with it.
+ my $def = $self->get_column_abstract($table, $column);
+ if ($def->{TYPE} =~ /SERIAL/i) {
+ push(@sql, "DROP SEQUENCE ${table}_${column}_SEQ");
+ push(@sql, "DROP TRIGGER ${table}_${column}_TR");
+ }
+ return @sql;
+}
+
sub get_rename_table_sql {
my ($self, $old_name, $new_name) = @_;
if (lc($old_name) eq lc($new_name)) {
@@ -465,20 +513,4 @@ sub get_set_serial_sql {
return @sql;
}
-sub get_drop_column_ddl {
- my $self = shift;
- my ($table, $column) = @_;
- my @sql;
- push(@sql, $self->SUPER::get_drop_column_ddl(@_));
- my $dbh=Bugzilla->dbh;
- my $trigger_name = uc($table . "_" . $column);
- my $exist_trigger = $dbh->selectcol_arrayref(
- "SELECT OBJECT_NAME FROM USER_OBJECTS
- WHERE OBJECT_NAME = ?", undef, $trigger_name);
- if(@$exist_trigger) {
- push(@sql, "DROP TRIGGER $trigger_name");
- }
- return @sql;
-}
-
1;
diff --git a/Bugzilla/DB/Schema/Pg.pm b/Bugzilla/DB/Schema/Pg.pm
index ef6e5671d..d21f5099c 100644
--- a/Bugzilla/DB/Schema/Pg.pm
+++ b/Bugzilla/DB/Schema/Pg.pm
@@ -90,6 +90,16 @@ sub _initialize {
} #eosub--_initialize
#--------------------------------------------------------------------
+sub get_create_database_sql {
+ my ($self, $name) = @_;
+ # We only create as utf8 if we have no params (meaning we're doing
+ # a new installation) or if the utf8 param is on.
+ my $create_utf8 = Bugzilla->params->{'utf8'}
+ || !defined Bugzilla->params->{'utf8'};
+ my $charset = $create_utf8 ? "ENCODING 'UTF8' TEMPLATE template0" : '';
+ return ("CREATE DATABASE $name $charset");
+}
+
sub get_rename_column_ddl {
my ($self, $table, $old_name, $new_name) = @_;
if (lc($old_name) eq lc($new_name)) {
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 8e70a9721..a4db2e05d 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -824,10 +824,19 @@ sub _add_extra_column {
# These are the columns that we're going to be actually SELECTing.
sub _display_columns {
my ($self) = @_;
- # Do not alter the list specified here at all, even if they are duplicated.
- # Those are passed by the caller, and the caller expects to get them back
- # in the exact same order.
- $self->{display_columns} ||= [$self->_input_columns, $self->_extra_columns];
+ return @{ $self->{display_columns} } if $self->{display_columns};
+
+ # Do not alter the list from _input_columns at all, even if there are
+ # duplicated columns. Those are passed by the caller, and the caller
+ # expects to get them back in the exact same order.
+ my @columns = $self->_input_columns;
+
+ # Only add columns which are not already listed.
+ my %list = map { $_ => 1 } @columns;
+ foreach my $column ($self->_extra_columns) {
+ push(@columns, $column) unless $list{$column}++;
+ }
+ $self->{display_columns} = \@columns;
return @{ $self->{display_columns} };
}
@@ -2304,6 +2313,12 @@ sub _long_desc_changedbefore_after {
};
push(@$joins, $join);
$args->{term} = "$table.bug_when IS NOT NULL";
+
+ # If the user is not part of the insiders group, they cannot see
+ # private comments
+ if (!$self->_user->is_insider) {
+ $args->{term} .= " AND $table.isprivate = 0";
+ }
}
sub _content_matches {
@@ -2786,8 +2801,10 @@ sub _changedbefore_changedafter {
extra => ["$table.fieldid = $field_id",
"$table.bug_when $sql_operator $sql_date"],
};
- push(@$joins, $join);
+
$args->{term} = "$table.bug_when IS NOT NULL";
+ $self->_changed_security_check($args, $join);
+ push(@$joins, $join);
}
sub _changedfrom_changedto {
@@ -2806,9 +2823,10 @@ sub _changedfrom_changedto {
extra => ["$table.fieldid = $field_id",
"$table.$column = $quoted"],
};
- push(@$joins, $join);
$args->{term} = "$table.bug_when IS NOT NULL";
+ $self->_changed_security_check($args, $join);
+ push(@$joins, $join);
}
sub _changedby {
@@ -2827,8 +2845,32 @@ sub _changedby {
extra => ["$table.fieldid = $field_id",
"$table.who = $user_id"],
};
- push(@$joins, $join);
+
$args->{term} = "$table.bug_when IS NOT NULL";
+ $self->_changed_security_check($args, $join);
+ push(@$joins, $join);
+}
+
+sub _changed_security_check {
+ my ($self, $args, $join) = @_;
+ my ($chart_id, $field) = @$args{qw(chart_id field)};
+
+ my $field_object = $self->_chart_fields->{$field}
+ || ThrowCodeError("invalid_field_name", { field => $field });
+ my $field_id = $field_object->id;
+
+ # If the user is not part of the insiders group, they cannot see
+ # changes to attachments (including attachment flags) that are private
+ if ($field =~ /^(?:flagtypes\.name$|attach)/ and !$self->_user->is_insider) {
+ $join->{then_to} = {
+ as => "attach_${field_id}_$chart_id",
+ table => 'attachments',
+ from => "act_${field_id}_$chart_id.attach_id",
+ to => 'attach_id',
+ };
+
+ $args->{term} .= " AND COALESCE(attach_${field_id}_$chart_id.isprivate, 0) = 0";
+ }
}
######################
diff --git a/Bugzilla/Search/Saved.pm b/Bugzilla/Search/Saved.pm
index fc773fcde..99194112a 100644
--- a/Bugzilla/Search/Saved.pm
+++ b/Bugzilla/Search/Saved.pm
@@ -109,7 +109,7 @@ sub check {
if (!$search->shared_with_group
or !$user->in_group($search->shared_with_group))
{
- ThrowUserError('missing_query', { queryname => $search->name,
+ ThrowUserError('missing_query', { name => $search->name,
sharer_id => $search->user->id });
}
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 9d736d585..0b4c1c867 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1538,6 +1538,8 @@ sub match_field {
my @logins;
for my $query (@queries) {
$query = trim($query);
+ next if $query eq '';
+
my $users = match(
$query, # match string
$limit, # match limit
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index 6b5d8e3ef..e62ad0570 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -2410,8 +2410,9 @@ B<STABLE>
=item B<Description>
This allows you to create a new bug in Bugzilla. If you specify any
-invalid fields, they will be ignored. If you specify any fields you
-are not allowed to set, they will just be set to their defaults or ignored.
+invalid fields, an error will be thrown stating which field is invalid.
+If you specify any fields you are not allowed to set, they will just be
+set to their defaults or ignored.
You cannot currently set all the items here that you can set on enter_bug.cgi.
diff --git a/buglist.cgi b/buglist.cgi
index b5872e05d..891fd66b4 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -214,7 +214,7 @@ sub LookupNamedQuery {
Bugzilla->login(LOGIN_REQUIRED);
my $query = Bugzilla::Search::Saved->check(
- { user => $sharer_id, name => $name });
+ { user => $sharer_id, name => $name, _error => 'missing_query' });
$query->url
|| ThrowUserError("buglist_parameters_required");
@@ -466,6 +466,8 @@ elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) {
$user = Bugzilla->login(LOGIN_REQUIRED);
my $token = $cgi->param('token');
check_hash_token($token, ['searchknob']);
+ $buffer = $params->canonicalise_query('cmdtype', 'remtype',
+ 'query_based_on', 'token');
InsertNamedQuery(DEFAULT_QUERY_NAME, $buffer);
$vars->{'message'} = "buglist_new_default_query";
}
diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml
index d00055aa9..1ed72f64a 100644
--- a/docs/en/xml/Bugzilla-Guide.xml
+++ b/docs/en/xml/Bugzilla-Guide.xml
@@ -32,9 +32,9 @@
For a devel release, simple bump bz-ver and bz-date
-->
-<!ENTITY bz-ver "4.2.2">
+<!ENTITY bz-ver "4.2.3">
<!ENTITY bz-nextver "4.4">
-<!ENTITY bz-date "2012-07-26">
+<!ENTITY bz-date "2012-08-30">
<!ENTITY current-year "2012">
<!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-4.2-branch/">
diff --git a/js/custom-search.js b/js/custom-search.js
index 0ee7d2488..73897035d 100644
--- a/js/custom-search.js
+++ b/js/custom-search.js
@@ -146,7 +146,15 @@ function fix_query_string(form_member) {
return;
var form = YAHOO.util.Dom.getAncestorByTagName(form_member, 'form');
+ // Disable the token field so setForm doesn't include it
+ var reenable_token = false;
+ if (form['token'] && !form['token'].disabled) {
+ form['token'].disabled = true;
+ reenable_token = true;
+ }
var query = YAHOO.util.Connect.setForm(form);
+ if (reenable_token)
+ form['token'].disabled = false;
window.History.replaceState(null, document.title, '?' + query);
}
diff --git a/skins/contrib/Dusk/global.css b/skins/contrib/Dusk/global.css
index e1f8afda1..33f28965c 100644
--- a/skins/contrib/Dusk/global.css
+++ b/skins/contrib/Dusk/global.css
@@ -34,8 +34,8 @@ body, td, th, input {
/* page title */
#titles {
- -moz-border-radius-topleft: 5px;
- -moz-border-radius-topright: 5px;
+ border-top-left-radius: 5px;
+ border-top-right-radius: 5px;
}
#header .links, #footer {
@@ -44,8 +44,8 @@ body, td, th, input {
}
#header {
- -moz-border-radius-bottomleft: 5px;
- -moz-border-radius-bottomright: 5px;
+ border-bottom-left-radius: 5px;
+ border-bottom-right-radius: 5px;
border: none;
}
@@ -65,7 +65,7 @@ body, td, th, input {
border: 1px solid #747e93;
padding: 10px;
font-size: 10pt;
- -moz-border-radius: 5px;
+ border-radius: 5px;
}
a {
@@ -178,7 +178,7 @@ hr {
#footer {
border: 1px solid #747e93;
width: 100%;
- -moz-border-radius: 5px;
+ border-radius: 5px;
}
#footer #links-actions,
diff --git a/skins/standard/global.css b/skins/standard/global.css
index f95d4e644..f50ccd02d 100644
--- a/skins/standard/global.css
+++ b/skins/standard/global.css
@@ -55,8 +55,8 @@
border-left: 1px solid #747E93;
border-right: 1px solid #747E93;
border-bottom: 1px solid #747E93;
- -moz-border-radius-bottomleft: 5px;
- -moz-border-radius-bottomright: 5px;
+ border-bottom-left-radius: 5px;
+ border-bottom-right-radius: 5px;
padding: 0.5em;
}
@@ -105,8 +105,8 @@
width: 100%;
background-color: #404D6C;
color: #fff;
- -moz-border-radius-topleft: 5px;
- -moz-border-radius-topright: 5px;
+ border-top-left-radius: 5px;
+ border-top-right-radius: 5px;
font-size: 110%;
margin: 0;
padding: 0.5em;
diff --git a/skins/standard/show_bug.css b/skins/standard/show_bug.css
index 99c0b405e..8214ce5f4 100644
--- a/skins/standard/show_bug.css
+++ b/skins/standard/show_bug.css
@@ -2,7 +2,7 @@
margin: 8px 0;
padding: 0.3em;
background-color: rgb(208, 208, 208);
- -moz-border-radius: 0.5em;
+ border-radius: 0.5em;
font-size: 125%;
font-weight: bold;
}
diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl
index 606e5c32e..6b41c17e3 100644
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -36,8 +36,8 @@
[% IF cgi.request_method == "GET" AND cgi.query_string %]
[% connector = "&" %]
[% END %]
- [% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %]
- <a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]"
+ [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %]
+ <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]"
onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a>
[% Hook.process('additional_methods') %]
@@ -116,7 +116,7 @@
</li>
<li id="forgot_container[% qs_suffix %]">
<span class="separator">| </span>
- <a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot"
+ <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot"
onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a>
<form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]"
class="mini_forgot bz_default_hidden">
@@ -125,6 +125,7 @@
<input id="forgot_button[% qs_suffix %]" value="Reset Password"
type="submit">
<input type="hidden" name="a" value="reqpw">
+ <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
<a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a>
</form>
</li>
diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl
index ec8c11e24..0aac403a5 100644
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -115,6 +115,7 @@
enter your email address below and submit a request
to change your password.<br>
<input size="35" name="loginname">
+ <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
<input type="submit" id="request" value="Reset Password">
</form>
[% END %]
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index ff2620589..99f06ec9d 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -153,7 +153,6 @@
'list/table.html.tmpl' => [
'tableheader',
'bug.bug_id',
- 'abbrev.$id.title || field_descs.$id || column.title',
],
'list/list.csv.tmpl' => [
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index f448ee4d4..b3257cea5 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1179,7 +1179,7 @@
[% title = "Missing Search" %]
[% docslinks = {'query.html' => "Searching for $terms.bugs",
'query.html#list' => "$terms.Bug lists"} %]
- The search named <em>[% queryname FILTER html %]</em>
+ The search named <em>[% name FILTER html %]</em>
[% IF sharer_id && sharer_id != user.id %]
has not been made visible to you.
[% ELSE %]
diff --git a/template/en/default/list/table.html.tmpl b/template/en/default/list/table.html.tmpl
index c2964f17c..547a9cbe3 100644
--- a/template/en/default/list/table.html.tmpl
+++ b/template/en/default/list/table.html.tmpl
@@ -139,7 +139,7 @@
[% PROCESS new_order %]
[%-#%]&amp;query_based_on=
[% defaultsavename OR searchname FILTER uri %]">
- [%- abbrev.$id.title || field_descs.$id || column.title -%]
+ [%- abbrev.$id.title || field_descs.$id || column.title FILTER html -%]
[% PROCESS order_arrow ~%]
</a>
</th>
diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl
index 11c5d5460..35963148a 100644
--- a/template/en/default/pages/release-notes.html.tmpl
+++ b/template/en/default/pages/release-notes.html.tmpl
@@ -53,6 +53,44 @@
<h2 id="v42_point">Updates in this 4.2.x Release</h2>
+<h3>4.2.3</h3>
+
+<p>This release fixes two security issues. See the
+ <a href="http://www.bugzilla.org/security/3.6.10/">Security Advisory</a>
+ for details.</p>
+
+<p>In addition, the following important fixes/changes have been made in this
+ release:</p>
+
+<ul>
+ <li>Attaching a file to [% terms.abug %] was broken due to a change in
+ Perl 5.16.
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=771100">[% terms.Bug %] 771100</a>)</li>
+ <li>A regression in [% terms.Bugzilla %] 4.2.2 made Oracle crash when
+ displaying a buglist.
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=780028">[% terms.Bug %] 780028</a>)</li>
+ <li>It was possible to search on history for comments and attachments you
+ cannot see (though these private comments and attachments are never disclosed).
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=779709">[% terms.Bug %] 779709</a>)</li>
+ <li>PostgreSQL databases could be created with the wrong encoding despite
+ the utf8 parameter being enabled.
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=783786">[% terms.Bug %] 783786</a>)</li>
+ <li>Scheduled whines could be sent at the wrong time on Oracle.
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=559539">[% terms.Bug %] 559539</a>)</li>
+ <li>Tokens are no longer included in saved queries.
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=772953">[% terms.Bug %] 772953</a>)</li>
+ <li>An admin could unintentionally break the display of buglists if a custom
+ field description contains a &lt; or &gt; character, because these characters
+ were not filtered.
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=785917">[% terms.Bug %] 785917</a>)</li>
+ <li>Adding or removing a DB column in Oracle didn't handle SERIAL columns
+ correctly.
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=731156">[% terms.Bug %] 731156</a>)</li>
+ <li>A minor CSRF vulnerability in token.cgi allowed possible unauthorized
+ password reset e-mail requests.
+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=706271">[% terms.Bug %] 706271</a>)</li>
+</ul>
+
<h3>4.2.2</h3>
<p>This release fixes two security issues. See the
@@ -432,6 +470,9 @@
[%- terms.Bug %] 584742</a>: When viewing [% terms.abug %], WebKit-based
browsers can automatically reset a field's selected value when the field
has disabled values.</li>
+ <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=780053">
+ [%- terms.Bug %] 780053</a>: Oracle crashes when listing keywords, tags
+ or flags in buglists.</li>
</ul>
diff --git a/template/en/default/search/search-advanced.html.tmpl b/template/en/default/search/search-advanced.html.tmpl
index 2236bf5d2..780d54edd 100644
--- a/template/en/default/search/search-advanced.html.tmpl
+++ b/template/en/default/search/search-advanced.html.tmpl
@@ -31,12 +31,11 @@
[% js_data = BLOCK %]
-var queryform = "queryform"
-
+var queryform = "queryform";
function remove_token() {
- var asDefault = document.getElementById('remasdefault');
- if (queryform.token && asDefault && !asDefault.checked) {
- queryform.token.value = '';
+ if (queryform.token) {
+ var asDefault = document.getElementById('remasdefault');
+ queryform.token.disabled = !asDefault.checked;
}
}
[% END %]
diff --git a/token.cgi b/token.cgi
index fa262e76a..20870159a 100755
--- a/token.cgi
+++ b/token.cgi
@@ -108,6 +108,11 @@ if ( $action eq 'reqpw' ) {
ThrowUserError("password_change_requests_not_allowed");
}
+ # Check the hash token to make sure this user actually submitted
+ # the forgotten password form.
+ my $token = $cgi->param('token');
+ check_hash_token($token, ['reqpw']);
+
validate_email_syntax($login_name)
|| ThrowUserError('illegal_email_address', {addr => $login_name});