From 67b98255f72cc42f7efbd832e15f39ba1376d99a Mon Sep 17 00:00:00 2001 From: Byron Jones Date: Tue, 15 Nov 2011 16:13:10 +0800 Subject: Bug 702208: TheSchwartz should not open a new db connection for each email r=mkanat, a=mkanat --- Bugzilla/JobQueue.pm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Bugzilla/JobQueue.pm b/Bugzilla/JobQueue.pm index 2804b9179..7ea678345 100644 --- a/Bugzilla/JobQueue.pm +++ b/Bugzilla/JobQueue.pm @@ -35,6 +35,11 @@ use constant JOB_MAP => { send_mail => 'Bugzilla::Job::Mailer', }; +# Without a driver cache TheSchwartz opens a new database connection +# for each email it sends. This cached connection doesn't persist +# across requests. +use constant DRIVER_CACHE_TIME => 300; # 5 minutes + sub job_map { if (!defined(Bugzilla->request_cache->{job_map})) { my $job_map = JOB_MAP; @@ -62,6 +67,7 @@ sub new { pass => $lc->{db_pass}, prefix => 'ts_', }], + driver_cache_expiration => DRIVER_CACHE_TIME, ); return $self; -- cgit v1.2.3-24-g4f1b From a9fcd866bede799a2527d9630ce56e8980ebdcac Mon Sep 17 00:00:00 2001 From: Michael Ching Date: Thu, 17 Nov 2011 22:23:08 +0100 Subject: Bug 544434: describecomponents.cgi only lists enterable products. r=Wurblzap, a=LpSolit --- describecomponents.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/describecomponents.cgi b/describecomponents.cgi index 744501bbd..ee1361284 100755 --- a/describecomponents.cgi +++ b/describecomponents.cgi @@ -46,7 +46,7 @@ my $product = new Bugzilla::Product({'name' => $product_name}); unless ($product && $user->can_access_product($product->name)) { # Products which the user is allowed to see. - my @products = @{$user->get_enterable_products}; + my @products = @{$user->get_accessible_products}; if (scalar(@products) == 0) { ThrowUserError("no_products"); -- cgit v1.2.3-24-g4f1b From 31009dd4d8c9f1462d3026e04095c8befc307fd2 Mon Sep 17 00:00:00 2001 From: Gervase Markham Date: Fri, 18 Nov 2011 10:15:43 +0000 Subject: Make Login/Stack.pm refuse to continue down the stack if an Auth method returns an explicit failure. r=dkl, a=mkanat. https://bugzilla.mozilla.org/show_bug.cgi?id=698423 --- Bugzilla/Auth/Login/Stack.pm | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Bugzilla/Auth/Login/Stack.pm b/Bugzilla/Auth/Login/Stack.pm index 0f3661954..e8d9c4635 100644 --- a/Bugzilla/Auth/Login/Stack.pm +++ b/Bugzilla/Auth/Login/Stack.pm @@ -28,6 +28,7 @@ use fields qw( ); use Hash::Util qw(lock_keys); use Bugzilla::Hook; +use Bugzilla::Constants; use List::MoreUtils qw(any); sub new { @@ -60,8 +61,13 @@ sub get_login_info { } $result = $object->get_login_info(@_); $self->{successful} = $object; - last if !$result->{failure}; - # So that if none of them succeed, it's undef. + + # We only carry on down the stack if this method denied all knowledge. + last unless ($result->{failure} + && ($result->{failure} eq AUTH_NODATA + || $result->{failure} eq AUTH_NO_SUCH_USER)); + + # If none of the methods succeed, it's undef. $self->{successful} = undef; } return $result; -- cgit v1.2.3-24-g4f1b From f8b6853ab1255b24804dd9b8fdff7d7972e614f6 Mon Sep 17 00:00:00 2001 From: Tiago Mello Date: Fri, 18 Nov 2011 15:35:55 -0200 Subject: Bug 643411: New default bug limit makes time summary results confusing r/a=mkanat --- template/en/default/list/list.html.tmpl | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl index 28540cdc0..29b0532d0 100644 --- a/template/en/default/list/list.html.tmpl +++ b/template/en/default/list/list.html.tmpl @@ -187,6 +187,14 @@ + [% IF time_summary_limited %] + + Time Summary will only include the bugs shown above. In order to + to see a time summary for all bugs found by the search, you can + + Show all search results. + [% END %] [% END %] @@ -296,6 +304,7 @@ See all search results for this query. + [% time_summary_limited = 1 %] [% ELSIF bugs.size == 1 %] One [% terms.bug %] found. [% ELSE %] -- cgit v1.2.3-24-g4f1b From 242862cac73f0537e8b92f9bf6841c0e3179cf2b Mon Sep 17 00:00:00 2001 From: Tiago Mello Date: Fri, 18 Nov 2011 15:52:49 -0200 Subject: Fix bustage due to bug 643411. --- template/en/default/list/list.html.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl index 29b0532d0..27d1eb027 100644 --- a/template/en/default/list/list.html.tmpl +++ b/template/en/default/list/list.html.tmpl @@ -189,8 +189,8 @@ [% IF time_summary_limited %] - Time Summary will only include the bugs shown above. In order to - to see a time summary for all bugs found by the search, you can + Time Summary will only include the [% terms.bugs %] shown above. In order to + to see a time summary for all [% terms.bugs %] found by the search, you can Show all search results. -- cgit v1.2.3-24-g4f1b From 3972541751851348ee9895c841cfc9ff2919a608 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 19 Nov 2011 01:00:50 +0100 Subject: Bug 703788: Improve performance of diff_arrays() with large arrays r/a=mkanat --- Bugzilla/Util.pm | 55 +++++++++++++++++++++++++++++-------------------------- t/007util.t | 17 +++++++++++++++-- 2 files changed, 44 insertions(+), 28 deletions(-) diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index ac6848bfa..b3f8a1ce0 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -308,36 +308,39 @@ sub use_attachbase { sub diff_arrays { my ($old_ref, $new_ref, $attrib) = @_; - - my @old = @$old_ref; - my @new = @$new_ref; $attrib ||= 'name'; - # For each pair of (old, new) entries: - # If object arrays were passed then an attribute should be defined; - # If they're equal, set them to empty. When done, @old contains entries - # that were removed; @new contains ones that got added. - foreach my $oldv (@old) { - foreach my $newv (@new) { - next if ($newv eq '' or $oldv eq ''); - if (blessed($oldv) and blessed($newv)) { - if ($oldv->$attrib eq $newv->$attrib) { - $newv = $oldv = ''; - } - } - else { - if ($oldv eq $newv) { - $newv = $oldv = '' - } - } - } + my (%counts, %pos); + # We are going to alter the old array. + my @old = @$old_ref; + my $i = 0; + + # $counts{foo}-- means old, $counts{foo}++ means new. + # If $counts{foo} becomes positive, then we are adding new items, + # else we simply cancel one old existing item. Remaining items + # in the old list have been removed. + foreach (@old) { + next unless defined $_; + my $value = blessed($_) ? $_->$attrib : $_; + $counts{$value}--; + push @{$pos{$value}}, $i++; } - - my @removed; my @added; - @removed = grep { $_ ne '' } @old; - @added = grep { $_ ne '' } @new; - + foreach (@$new_ref) { + next unless defined $_; + my $value = blessed($_) ? $_->$attrib : $_; + if (++$counts{$value} > 0) { + # Ignore empty strings, but objects having an empty string + # as attribute are fine. + push(@added, $_) unless ($value eq '' && !blessed($_)); + } + else { + my $old_pos = shift @{$pos{$value}}; + $old[$old_pos] = undef; + } + } + # Ignore cancelled items as well as empty strings. + my @removed = grep { defined $_ && $_ ne '' } @old; return (\@removed, \@added); } diff --git a/t/007util.t b/t/007util.t index 742c2b2d2..b32a1b90c 100644 --- a/t/007util.t +++ b/t/007util.t @@ -18,7 +18,7 @@ # # Contributor(s): Zach Lipton # Max Kanat-Alexander - +# Frédéric Buclin ################# #Bugzilla Test 7# @@ -26,7 +26,7 @@ use lib 't'; use Support::Files; -use Test::More tests => 13; +use Test::More tests => 15; BEGIN { use_ok(Bugzilla); @@ -72,3 +72,16 @@ foreach my $input (keys %email_strings) { is(Bugzilla::Util::email_filter($input), $email_strings{$input}, "email_filter('$input')"); } + +# diff_arrays(): +my @old_array = qw(alpha beta alpha gamma gamma beta alpha delta epsilon gamma); +my @new_array = qw(alpha alpha beta gamma epsilon delta beta delta); +# The order is not relevant when comparing both arrays for matching items, +# i.e. (foo bar) and (bar foo) are the same arrays (same items). +# But when returning data, we try to respect the initial order. +# We remove the leftmost items first, and return what's left. This means: +# Removed (in this order): gamma alpha gamma. +# Added (in this order): delta +my ($removed, $added) = diff_arrays(\@old_array, \@new_array); +is_deeply($removed, [qw(gamma alpha gamma)], 'diff_array(\@old, \@new) (check removal)'); +is_deeply($added, [qw(delta)], 'diff_array(\@old, \@new) (check addition)'); -- cgit v1.2.3-24-g4f1b From f08fde0c271e6393a10aa0011b49613d26a31d33 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 19 Nov 2011 01:11:00 +0100 Subject: cancelled -> canceled https://bugzilla.mozilla.org/show_bug.cgi?id=703788 --- Bugzilla/Util.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index b3f8a1ce0..4c268552b 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -339,7 +339,7 @@ sub diff_arrays { $old[$old_pos] = undef; } } - # Ignore cancelled items as well as empty strings. + # Ignore canceled items as well as empty strings. my @removed = grep { defined $_ && $_ ne '' } @old; return (\@removed, \@added); } -- cgit v1.2.3-24-g4f1b From 4d99c123ee568e5a548968de8417ebc70a24efe4 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Mon, 21 Nov 2011 14:08:54 -0800 Subject: Bug 703983 - CSRF vulnerability in attachment.cgi allows possible unauthorized attachment creation [r=LpSolit a=LpSolit] --- attachment.cgi | 33 +++------------ .../attachment/cancel-create-dupe.html.tmpl | 48 ---------------------- 2 files changed, 5 insertions(+), 76 deletions(-) delete mode 100644 template/en/default/attachment/cancel-create-dupe.html.tmpl diff --git a/attachment.cgi b/attachment.cgi index 5eba13611..04bad37b3 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -501,7 +501,7 @@ sub enter { $vars->{'flag_types'} = $flag_types; $vars->{'any_flags_requesteeble'} = grep { $_->is_requestable && $_->is_requesteeble } @$flag_types; - $vars->{'token'} = issue_session_token('create_attachment:'); + $vars->{'token'} = issue_session_token('create_attachment'); print $cgi->header(); @@ -524,27 +524,7 @@ sub insert { # Detect if the user already used the same form to submit an attachment my $token = trim($cgi->param('token')); - if ($token) { - my ($creator_id, $date, $old_attach_id) = Bugzilla::Token::GetTokenData($token); - unless ($creator_id - && ($creator_id == $user->id) - && ($old_attach_id =~ "^create_attachment:")) - { - # The token is invalid. - ThrowUserError('token_does_not_exist'); - } - - $old_attach_id =~ s/^create_attachment://; - - if ($old_attach_id) { - $vars->{'bugid'} = $bugid; - $vars->{'attachid'} = $old_attach_id; - print $cgi->header(); - $template->process("attachment/cancel-create-dupe.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - exit; - } - } + check_token_data($token, 'create_attachment', 'index.cgi'); # Check attachments the user tries to mark as obsolete. my @obsolete_attachments; @@ -570,6 +550,9 @@ sub insert { mimetype => $content_type, }); + # Delete the token used to create this attachment. + delete_token($token); + foreach my $obsolete_attachment (@obsolete_attachments) { $obsolete_attachment->set_is_obsolete(1); $obsolete_attachment->update($timestamp); @@ -607,12 +590,6 @@ sub insert { } $bug->update($timestamp); - if ($token) { - trick_taint($token); - $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef, - ("create_attachment:" . $attachment->id, $token)); - } - $dbh->bz_commit_transaction; # Define the variables and functions that will be passed to the UI template. diff --git a/template/en/default/attachment/cancel-create-dupe.html.tmpl b/template/en/default/attachment/cancel-create-dupe.html.tmpl deleted file mode 100644 index 643a24ad8..000000000 --- a/template/en/default/attachment/cancel-create-dupe.html.tmpl +++ /dev/null @@ -1,48 +0,0 @@ -[%# The contents of this file are subject to the Mozilla Public - # License Version 1.1 (the "License"); you may not use this file - # except in compliance with the License. You may obtain a copy of - # the License at http://www.mozilla.org/MPL/ - # - # Software distributed under the License is distributed on an "AS - # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - # implied. See the License for the specific language governing - # rights and limitations under the License. - # - # The Original Code is the Bugzilla Bug Tracking System. - # - # The Initial Developer of the Original Code is Olav Vitters. - # - # Contributor(s): Olav Vitters - # David Lawrence - #%] - -[%# INTERFACE: - # bugid: integer. ID of the bug report that this attachment relates to. - # attachid: integer. ID of the previous attachment recently created. - #%] - -[% PROCESS "global/field-descs.none.tmpl" %] - -[% PROCESS global/header.html.tmpl - title = "Already filed attachment" -%] - -[% USE Bugzilla %] - - - - - -
- - You already used the form to file - attachment [% attachid FILTER uri %]. - -
- -

- You can either - create a new attachment or [% "go back to $terms.bug $bugid" FILTER bug_link(bugid) FILTER none %]. -

- -[% PROCESS global/footer.html.tmpl %] -- cgit v1.2.3-24-g4f1b