Merge from bugzilla/4.2

7 files changed, 52 insertions, 11 deletions

diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl
index 606e5c32e..6b41c17e3 100644
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -36,8 +36,8 @@
   [% IF cgi.request_method == "GET" AND cgi.query_string %]
     [% connector = "&" %]
   [% END %]
-  [% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %]
-  <a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]"
+  [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %]
+  <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]"
      onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a>
 
   [% Hook.process('additional_methods') %]
@@ -116,7 +116,7 @@
 </li>
 <li id="forgot_container[% qs_suffix %]">
   <span class="separator">| </span>
-  <a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot"
+  <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot"
      onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a>
   <form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]"
         class="mini_forgot bz_default_hidden">
@@ -125,6 +125,7 @@
     <input id="forgot_button[% qs_suffix %]" value="Reset Password" 
            type="submit">
     <input type="hidden" name="a" value="reqpw">
+    <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
     <a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a>
   </form>
 </li>
diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl
index ec8c11e24..0aac403a5 100644
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -115,6 +115,7 @@
       enter your email address below and submit a request
       to change your password.<br>
       <input size="35" name="loginname">
+      <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
       <input type="submit" id="request" value="Reset Password">
     </form>
   [% END %]
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index ff2620589..99f06ec9d 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -153,7 +153,6 @@
 'list/table.html.tmpl' => [
   'tableheader',
   'bug.bug_id', 
-  'abbrev.$id.title || field_descs.$id || column.title',
 ],
 
 'list/list.csv.tmpl' => [
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index f448ee4d4..b3257cea5 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1179,7 +1179,7 @@
     [% title = "Missing Search" %]
     [% docslinks = {'query.html' => "Searching for $terms.bugs",
                     'query.html#list' => "$terms.Bug lists"} %]
-    The search named <em>[% queryname FILTER html %]</em>
+    The search named <em>[% name FILTER html %]</em>
     [% IF sharer_id && sharer_id != user.id %]
       has not been made visible to you.
     [% ELSE %]
diff --git a/template/en/default/list/table.html.tmpl b/template/en/default/list/table.html.tmpl
index c2964f17c..547a9cbe3 100644
--- a/template/en/default/list/table.html.tmpl
+++ b/template/en/default/list/table.html.tmpl
@@ -139,7 +139,7 @@
       [% PROCESS new_order %]
       [%-#%]&amp;query_based_on=
       [% defaultsavename OR searchname FILTER uri %]">
-        [%- abbrev.$id.title || field_descs.$id || column.title -%]
+        [%- abbrev.$id.title || field_descs.$id || column.title FILTER html -%]
         [% PROCESS order_arrow ~%]
     </a>
   </th>
diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl
index 11c5d5460..35963148a 100644
--- a/template/en/default/pages/release-notes.html.tmpl
+++ b/template/en/default/pages/release-notes.html.tmpl
@@ -53,6 +53,44 @@
 
 <h2 id="v42_point">Updates in this 4.2.x Release</h2>
 
+<h3>4.2.3</h3>
+
+<p>This release fixes two security issues. See the
+  <a href="http://www.bugzilla.org/security/3.6.10/">Security Advisory</a>
+  for details.</p>
+
+<p>In addition, the following important fixes/changes have been made in this
+  release:</p>
+
+<ul>
+  <li>Attaching a file to [% terms.abug %] was broken due to a change in
+    Perl 5.16.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=771100">[% terms.Bug %] 771100</a>)</li>
+  <li>A regression in [% terms.Bugzilla %] 4.2.2 made Oracle crash when
+    displaying a buglist.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=780028">[% terms.Bug %] 780028</a>)</li>
+  <li>It was possible to search on history for comments and attachments you
+    cannot see (though these private comments and attachments are never disclosed).
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=779709">[% terms.Bug %] 779709</a>)</li>
+  <li>PostgreSQL databases could be created with the wrong encoding despite
+    the utf8 parameter being enabled.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=783786">[% terms.Bug %] 783786</a>)</li>
+  <li>Scheduled whines could be sent at the wrong time on Oracle.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=559539">[% terms.Bug %] 559539</a>)</li>
+  <li>Tokens are no longer included in saved queries.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=772953">[% terms.Bug %] 772953</a>)</li>
+  <li>An admin could unintentionally break the display of buglists if a custom
+    field description contains a &lt; or &gt; character, because these characters
+    were not filtered.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=785917">[% terms.Bug %] 785917</a>)</li>
+  <li>Adding or removing a DB column in Oracle didn't handle SERIAL columns
+    correctly.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=731156">[% terms.Bug %] 731156</a>)</li>
+  <li>A minor CSRF vulnerability in token.cgi allowed possible unauthorized
+    password reset e-mail requests.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=706271">[% terms.Bug %] 706271</a>)</li>
+</ul>
+
 <h3>4.2.2</h3>
 
 <p>This release fixes two security issues. See the
@@ -432,6 +470,9 @@
     [%- terms.Bug %] 584742</a>: When viewing [% terms.abug %], WebKit-based
     browsers can automatically reset a field's selected value when the field
     has disabled values.</li>
+  <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=780053">
+    [%- terms.Bug %] 780053</a>: Oracle crashes when listing keywords, tags
+    or flags in buglists.</li>
 </ul>
 
 
diff --git a/template/en/default/search/search-advanced.html.tmpl b/template/en/default/search/search-advanced.html.tmpl
index 2236bf5d2..780d54edd 100644
--- a/template/en/default/search/search-advanced.html.tmpl
+++ b/template/en/default/search/search-advanced.html.tmpl
@@ -31,12 +31,11 @@
 
 
 [% js_data = BLOCK %]
-var queryform = "queryform"
-
+var queryform = "queryform";
 function remove_token() {
-  var asDefault = document.getElementById('remasdefault');
-  if (queryform.token && asDefault && !asDefault.checked) {
-    queryform.token.value = '';
+  if (queryform.token) {
+    var asDefault = document.getElementById('remasdefault');
+    queryform.token.disabled = !asDefault.checked;
   }
 }
 [% END %]