diff options
| -rw-r--r-- | Bugzilla/Constants.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/Template.pm | 11 | ||||
| -rw-r--r-- | docs/en/xml/Bugzilla-Guide.xml | 6 | ||||
| -rw-r--r-- | template/en/default/email/bugmail.txt.tmpl | 2 | ||||
| -rw-r--r-- | template/en/default/pages/release-notes.html.tmpl | 31 | ||||
| -rw-r--r-- | template/en/default/request/email.txt.tmpl | 2 |
6 files changed, 48 insertions, 6 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index b7038505a..b8d1a2260 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -212,7 +212,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.7+"; +use constant BUGZILLA_VERSION => "4.2.8+"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index fdeda165c..b1bea78e5 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -671,6 +671,17 @@ sub create { my ($data) = @_; return encode_base64($data); }, + + # Strips out control characters excepting whitespace + strip_control_chars => sub { + my ($data) = @_; + # Only run for utf8 to avoid issues with other multibyte encodings + # that may be reassigning meaning to ascii characters. + if (Bugzilla->params->{'utf8'}) { + $data =~ s/(?![\t\r\n])[[:cntrl:]]//g; + } + return $data; + }, # HTML collapses newlines in element attributes to a single space, # so form elements which may have whitespace (ie comments) need diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml index d2079630f..a12a0239b 100644 --- a/docs/en/xml/Bugzilla-Guide.xml +++ b/docs/en/xml/Bugzilla-Guide.xml @@ -32,10 +32,10 @@ For a devel release, simple bump bz-ver and bz-date --> -<!ENTITY bz-ver "4.2.7"> +<!ENTITY bz-ver "4.2.8+"> <!ENTITY bz-nextver "4.4"> -<!ENTITY bz-date "2013-10-16"> -<!ENTITY current-year "2013"> +<!ENTITY bz-date "2014-04-17"> +<!ENTITY current-year "2014"> <!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-4.2-branch/"> <!ENTITY bz "http://www.bugzilla.org/"> diff --git a/template/en/default/email/bugmail.txt.tmpl b/template/en/default/email/bugmail.txt.tmpl index fed0565c7..525070d99 100644 --- a/template/en/default/email/bugmail.txt.tmpl +++ b/template/en/default/email/bugmail.txt.tmpl @@ -32,7 +32,7 @@ [%- IF comment.count %] --- Comment #[% comment.count %] from [% comment.author.identity %] --- [% END %] -[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) %] +[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %] [% END %] [% IF referenced_bugs.size %] diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index ebc08afb1..c91dd77a7 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -53,6 +53,37 @@ <h2 id="v42_point">Updates in this 4.2.x Release</h2> +<h3>4.2.8</h3> + +<p>This release fixes one minor security issue. See the + <a href="http://www.bugzilla.org/security/4.0.11/">Security Advisory</a> + for details.</p> + +<p>In addition, the following [% terms.bugs %] have been fixed in this release:</p> + +<ul> + <li><kbd>checksetup.pl</kbd> was incorrectly reporting DBI 1.630 (1.63) as + being older than 1.614, preventing the upgrade to complete. + If you still use Perl 5.10.0 or older, make sure you have the + <a href="http://search.cpan.org/~jpeacock/version/lib/version.pod">version</a> + module installed before running <kbd>checksetup.pl</kbd>. + If you use Perl 5.10.1 or newer, this module is already available and + no special action is required. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=938300">[% terms.Bug %] 938300</a>)</li> + <li><kbd>checksetup.pl</kbd> no longer fails with "Invalid version format (non-numeric data)" + when a Perl module contains an invalid version number. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=781672">[% terms.Bug %] 781672</a>)</li> + <li>The PROJECT environment variable is now correctly taken into account + when mod_perl is enabled (this variable allows several installations to + share the same codebase). + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=843457">[% terms.Bug %] 843457</a>)</li> + <li>[% terms.Bugzilla %] no longer crashes when the <kbd>shutdownhtml</kbd> + parameter is set and using a non-cookie based authentication method. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=748095">[% terms.Bug %] 748095</a>)</li> + <li>The default date and time format used for SQLite has been fixed. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=938161">[% terms.Bug %] 938161</a>)</li> +</ul> + <h3>4.2.7</h3> <p>This release fixes several security issues. See the diff --git a/template/en/default/request/email.txt.tmpl b/template/en/default/request/email.txt.tmpl index f05059c1a..17ab12431 100644 --- a/template/en/default/request/email.txt.tmpl +++ b/template/en/default/request/email.txt.tmpl @@ -89,7 +89,7 @@ Attachment [% attidsummary %] [%-# .defined is necessary to avoid a taint issue in Perl < 5.10.1, see bug 509794. %] [% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %] ------- Additional Comments from [% user.identity %] -[%+ Bugzilla.cgi.param("comment") %] +[%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %] [% END %] [%- END %] |