From b7656f0a5deec13cd706c5fa364ec52e21b749b1 Mon Sep 17 00:00:00 2001 From: Simon Green Date: Thu, 11 Oct 2012 14:31:06 +0800 Subject: Bug 798994: Fix incorrect double escaping when displaying saved queries URLs r=glob, a=LpSolit --- template/en/default/global/user-error.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 5536d9fd2..4269d693d 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1809,7 +1809,7 @@ [% FOREACH q = Bugzilla.user.queries %] [% IF q.name == namedcmd %] - or edit + or edit [% END %] [% END %] -- cgit v1.2.3-24-g4f1b From 938692bf09df0bce9dae7be72925bf2f1eb75dfe Mon Sep 17 00:00:00 2001 From: Koosha Khajeh Moogahi Date: Fri, 12 Oct 2012 19:51:50 +0200 Subject: Bug 793826: Prevent private web service methods from being called r=dkl a=LpSolit --- Bugzilla/WebService/Server.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Bugzilla/WebService/Server.pm b/Bugzilla/WebService/Server.pm index feb80e9d0..206f0c657 100644 --- a/Bugzilla/WebService/Server.pm +++ b/Bugzilla/WebService/Server.pm @@ -25,7 +25,9 @@ use Scalar::Util qw(blessed); sub handle_login { my ($self, $class, $method, $full_method) = @_; - ThrowCodeError('unknown_method', {method => $full_method}) if !$class; + # Throw error if the supplied class does not exist or the method is private + ThrowCodeError('unknown_method', {method => $full_method}) if (!$class or $method =~ /^_/); + eval "require $class"; ThrowCodeError('unknown_method', {method => $full_method}) if $@; return if ($class->login_exempt($method) -- cgit v1.2.3-24-g4f1b From af1cf8f17877c1705c8cac98e26c6838340379d6 Mon Sep 17 00:00:00 2001 From: Simon Green Date: Fri, 12 Oct 2012 22:04:17 +0200 Subject: Bug 790129: Bugzilla->fields returns fields in random order (the sortkey is ignored) r/a=LpSolit --- Bugzilla.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Bugzilla.pm b/Bugzilla.pm index 65ddcc2bc..5b39e4c81 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -592,7 +592,8 @@ sub fields { } } - return $do_by_name ? \%requested : [values %requested]; + return $do_by_name ? \%requested + : [sort { $a->sortkey <=> $b->sortkey || $a->name cmp $b->name } values %requested]; } sub active_custom_fields { @@ -847,7 +848,7 @@ in a hashref: =item C If false (or not specified), this method will return an arrayref of -the requested fields. The order of the returned fields is random. +the requested fields. If true, this method will return a hashref of fields, where the keys are field names and the valules are L objects. -- cgit v1.2.3-24-g4f1b From 4e3a63930481bb032790766641f2101708bd4e83 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Fri, 12 Oct 2012 22:24:57 +0200 Subject: s/sortey/sortkey/g --- Bugzilla/FlagType.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index 15d982744..811530c42 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -95,7 +95,7 @@ use constant VALIDATORS => { description => \&_check_description, cc_list => \&_check_cc_list, target_type => \&_check_target_type, - sortkey => \&_check_sortey, + sortkey => \&_check_sortkey, is_active => \&Bugzilla::Object::check_boolean, is_requestable => \&Bugzilla::Object::check_boolean, is_requesteeble => \&Bugzilla::Object::check_boolean, @@ -325,7 +325,7 @@ sub _check_target_type { return $target_type; } -sub _check_sortey { +sub _check_sortkey { my ($invocant, $sortkey) = @_; (detaint_natural($sortkey) && $sortkey <= MAX_SMALLINT) -- cgit v1.2.3-24-g4f1b From 8320e045f0ab24359e352412b88a3392e67b14e4 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 13 Oct 2012 23:22:21 +0200 Subject: Fix typo --- Bugzilla/WebService/Util.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm index adb7fb43a..fe4105ca2 100644 --- a/Bugzilla/WebService/Util.pm +++ b/Bugzilla/WebService/Util.pm @@ -143,7 +143,7 @@ a hash to L, C<0> otherwise. =head2 validate -This helps in the validation of parameters passed into the WebSerice +This helps in the validation of parameters passed into the WebService methods. Currently it converts listed parameters into an array reference if the client only passed a single scalar value. It modifies the parameters hash in place so other parameters should be unaltered. -- cgit v1.2.3-24-g4f1b From 6421ccd7f8c3a57b953fa23fbe87e900f8ae2359 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sun, 14 Oct 2012 12:55:09 +0200 Subject: Bug 781314: The behavior of tags changed r=wicked a=LpSolit --- docs/en/xml/using.xml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/docs/en/xml/using.xml b/docs/en/xml/using.xml index 3bf0558fc..bed776dd3 100644 --- a/docs/en/xml/using.xml +++ b/docs/en/xml/using.xml @@ -665,14 +665,10 @@ Adding/removing tags to/from bugs You can add and remove tags from individual bugs, which let you find and - manage them more easily. Creating a new tag automatically generates a saved - search - whose name is the name of the tag - which lists bugs with this tag. - This saved search will be displayed in the footer of pages by default, as - all other saved searches. The main difference between tags and normal saved - searches is that saved searches, as described in the previous section, are - stored in the form of a list of matching criteria, while the saved search - generated by tags is a list of bug numbers. Consequently, you can easily - edit this list by either adding or removing tags from bugs. To enable this + manage bugs more easily. Tags are per-user and so are only visible and editable + by the user who created them. You can then run queries using tags as a criteria, + either by using the Advanced Search form, or simply by typing "tag:my_tag_name" + in the QuickSearch box at the top (or bottom) of the page. To enable this feature, you have to turn on the Enable tags for bugs user preference, see . This feature is disabled by default. @@ -684,9 +680,7 @@ these bugs and mixing all these reasons, you can now store these bugs in separate lists, e.g. Keep in mind, Interesting bugs, or Triage. One big advantage of this way to manage bugs - is that you can easily add or remove bugs one by one, which is not - possible to do with saved searches without having to edit the search - criteria again. + is that you can easily add or remove tags from bugs one by one. -- cgit v1.2.3-24-g4f1b From 1b7e8f9cfffcd8344620a1013c20fee8355028a1 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 16 Oct 2012 11:10:54 +0200 Subject: Bug 799721: PostgreSQL 9.2 requires DBD::Pg 2.19.3 r=glob a=LpSolit --- Bugzilla/DB/Pg.pm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Bugzilla/DB/Pg.pm b/Bugzilla/DB/Pg.pm index b6be64011..4f818932b 100644 --- a/Bugzilla/DB/Pg.pm +++ b/Bugzilla/DB/Pg.pm @@ -215,11 +215,12 @@ sub bz_check_server_version { my $self = shift; my ($db) = @_; my $server_version = $self->SUPER::bz_check_server_version(@_); - my ($major_version) = $server_version =~ /^(\d+)/; - # Pg 9 requires DBD::Pg 2.17.2 in order to properly read bytea values. + my ($major_version, $minor_version) = $server_version =~ /^0*(\d+)\.0*(\d+)/; + # Pg 9.0 requires DBD::Pg 2.17.2 in order to properly read bytea values. + # Pg 9.2 requires DBD::Pg 2.19.3 as spclocation no longer exists. if ($major_version >= 9) { - local $db->{dbd}->{version} = '2.17.2'; - local $db->{name} = $db->{name} . ' 9+'; + local $db->{dbd}->{version} = ($minor_version >= 2) ? '2.19.3' : '2.17.2'; + local $db->{name} = $db->{name} . " ${major_version}.$minor_version"; Bugzilla::DB::_bz_check_dbd(@_); } } -- cgit v1.2.3-24-g4f1b From 71ce45b150b938a2c18a7809f5afe23e2c2e7c49 Mon Sep 17 00:00:00 2001 From: David Taylor Date: Fri, 19 Oct 2012 01:18:33 +0200 Subject: Bug 780053: Oracle crashes when listing keywords or flags in buglists r/a=LpSolit --- Bugzilla/DB/Oracle.pm | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/Bugzilla/DB/Oracle.pm b/Bugzilla/DB/Oracle.pm index da263e084..4a69db16d 100644 --- a/Bugzilla/DB/Oracle.pm +++ b/Bugzilla/DB/Oracle.pm @@ -124,7 +124,8 @@ sub bz_explain { sub sql_group_concat { my ($self, $text, $separator) = @_; $separator = $self->quote(', ') if !defined $separator; - return "group_concat(T_CLOB_DELIM($text, $separator))"; + my ($distinct, $rest) = $text =~/^(\s*DISTINCT\s|)(.+)$/i; + return "group_concat($distinct T_CLOB_DELIM(NVL($rest, ' '), $separator))"; } sub sql_regexp { @@ -545,14 +546,17 @@ sub bz_setup_database { . " RETURN NUMBER IS BEGIN RETURN LENGTH(COLUMN_NAME); END;"); # Create types for group_concat - my $t_clob_delim = $self->selectcol_arrayref(" - SELECT TYPE_NAME FROM USER_TYPES WHERE TYPE_NAME=?", - undef, 'T_CLOB_DELIM'); - - if ( !@$t_clob_delim ) { - $self->do("CREATE OR REPLACE TYPE T_CLOB_DELIM AS OBJECT " - . "( p_CONTENT CLOB, p_DELIMITER VARCHAR2(256));"); - } + $self->do("DROP TYPE T_GROUP_CONCAT"); + $self->do("CREATE OR REPLACE TYPE T_CLOB_DELIM AS OBJECT " + . "( p_CONTENT CLOB, p_DELIMITER VARCHAR2(256)" + . ", MAP MEMBER FUNCTION T_CLOB_DELIM_ToVarchar return VARCHAR2" + . ");"); + $self->do("CREATE OR REPLACE TYPE BODY T_CLOB_DELIM IS + MAP MEMBER FUNCTION T_CLOB_DELIM_ToVarchar return VARCHAR2 is + BEGIN + RETURN p_CONTENT; + END; + END;"); $self->do("CREATE OR REPLACE TYPE T_GROUP_CONCAT AS OBJECT ( CLOB_CONTENT CLOB, -- cgit v1.2.3-24-g4f1b From c8f6709789dd430777f99d868439d49f6d7d51d3 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Fri, 19 Oct 2012 01:24:10 +0200 Subject: Bug 531243: Bugzilla crashes on show_bug if it's hit while a custom field is being added r=justdave a=LpSolit --- Bugzilla/Field.pm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Bugzilla/Field.pm b/Bugzilla/Field.pm index dbee5df3d..81677c7ea 100644 --- a/Bugzilla/Field.pm +++ b/Bugzilla/Field.pm @@ -1016,7 +1016,11 @@ sub create { # the parameter isn't sent to create(). $params->{sortkey} = undef if !exists $params->{sortkey}; $params->{type} ||= 0; - + # We mark the custom field as obsolete till it has been fully created, + # to avoid race conditions when viewing bugs at the same time. + my $is_obsolete = $params->{obsolete}; + $params->{obsolete} = 1 if $params->{custom}; + $dbh->bz_start_transaction(); $class->check_required_create_fields(@_); my $field_values = $class->run_create_validators($params); @@ -1045,6 +1049,10 @@ sub create { # Insert a default value of "---" into the legal values table. $dbh->do("INSERT INTO $name (value) VALUES ('---')"); } + + # Restore the original obsolete state of the custom field. + $dbh->do('UPDATE fielddefs SET obsolete = 0 WHERE id = ?', undef, $field->id) + unless $is_obsolete; } return $field; -- cgit v1.2.3-24-g4f1b From ae633ca7fafbe9e2ac9cc045c47dc159edb1eca6 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Thu, 25 Oct 2012 17:16:54 +0200 Subject: Bug 610767: contrib/convert-workflow.pl should add transitions from RESOLVED and VERIFIED to CONFIRMED (if transitions to REOPENED were present) r=dkl a=LpSolit --- contrib/convert-workflow.pl | 49 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/contrib/convert-workflow.pl b/contrib/convert-workflow.pl index 60029f67a..3dce21f12 100755 --- a/contrib/convert-workflow.pl +++ b/contrib/convert-workflow.pl @@ -20,7 +20,6 @@ # Max Kanat-Alexander use strict; -use warnings; use lib qw(. lib); use Bugzilla; @@ -82,6 +81,8 @@ $dbh->bz_start_transaction(); foreach my $pair (@translation) { my ($from, $to) = @$pair; print "Converting $from to $to...\n"; + # There is no FK on bugs.bug_status pointing to bug_status.value, + # so it's fine to update the bugs table first. $dbh->do('UPDATE bugs SET bug_status = ? WHERE bug_status = ?', undef, $to, $from); @@ -103,11 +104,53 @@ foreach my $pair (@translation) { # If the new status already exists, just delete the old one, but retain # the workflow items from it. - if (my $existing = new Bugzilla::Status({ name => $to })) { + my $new_status = new Bugzilla::Status({ name => $to }); + my $old_status = new Bugzilla::Status({ name => $from }); + + if ($new_status && $old_status) { + my $to_id = $new_status->id; + my $from_id = $old_status->id; + # The subselect collects existing transitions from the target bug status. + # The main select collects existing transitions from the renamed bug status. + # The diff tells us which transitions are missing from the target bug status. + my $missing_transitions = + $dbh->selectcol_arrayref('SELECT sw1.new_status + FROM status_workflow sw1 + WHERE sw1.old_status = ? + AND sw1.new_status NOT IN (SELECT sw2.new_status + FROM status_workflow sw2 + WHERE sw2.old_status = ?)', + undef, ($from_id, $to_id)); + + $dbh->do('UPDATE status_workflow SET old_status = ? WHERE old_status = ? AND ' + . $dbh->sql_in('new_status', $missing_transitions), + undef, ($to_id, $from_id)) if @$missing_transitions; + + # The subselect collects existing transitions to the target bug status. + # The main select collects existing transitions to the renamed bug status. + # The diff tells us which transitions are missing to the target bug status. + # We have to explicitly exclude NULL from the subselect, because NOT IN + # doesn't know what to do with it (neither true nor false) and no data is returned. + $missing_transitions = + $dbh->selectcol_arrayref('SELECT sw1.old_status + FROM status_workflow sw1 + WHERE sw1.new_status = ? + AND sw1.old_status NOT IN (SELECT sw2.old_status + FROM status_workflow sw2 + WHERE sw2.new_status = ? + AND sw2.old_status IS NOT NULL)', + undef, ($from_id, $to_id)); + + $dbh->do('UPDATE status_workflow SET new_status = ? WHERE new_status = ? AND ' + . $dbh->sql_in('old_status', $missing_transitions), + undef, ($to_id, $from_id)) if @$missing_transitions; + + # Delete rows where old_status = new_status, and then the old status itself. + $dbh->do('DELETE FROM status_workflow WHERE old_status = new_status'); $dbh->do('DELETE FROM bug_status WHERE value = ?', undef, $from); } # Otherwise, rename the old status to the new one. - else { + elsif ($old_status) { $dbh->do('UPDATE bug_status SET value = ? WHERE value = ?', undef, $to, $from); } -- cgit v1.2.3-24-g4f1b From be7354cbea019cd0220e16119f70e0885d0326fe Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Fri, 26 Oct 2012 17:13:05 +0200 Subject: Bug 805647: Release notes for Bugzilla 4.2.4 r=dkl --- template/en/default/pages/release-notes.html.tmpl | 53 +++++++++++++++++++++-- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index 35963148a..86a12af8d 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -53,6 +53,53 @@

Updates in this 4.2.x Release

+

4.2.4

+ +

This release fixes several security issues. See the + Security Advisory + for details.

+ +

In addition, the following important fixes/changes have been made in this + release:

+ +
    +
  • Queries involving group substitution were crashing when the "usevisibilitygroups" + parameter was enabled. Also, CVE-2011-2979 was not fully fixed in + [%+ terms.Bugzilla %] 4.1.3. + ([% terms.Bug %] 788098)
    • +
  • Flag names were not properly escaped when displayed on the "confirm user + match" page. An admin could unintentionally break the display of this page + if a flag name contains a < or > character, because these characters + were not filtered. + ([% terms.Bug %] 790215)
    • +
  • We now prevent private WebServices methods from being called by external + applications. + ([% terms.Bug %] 793826)
    • +
  • PostgreSQL 9.2 requires DBD::Pg 2.19.3. + ([% terms.Bug %] 799721)
    • +
  • Oracle was crashing when listing keywords or flags in buglists. + ([% terms.Bug %] 780053)
    • +
  • Oracle was crashing when typing several bare words in the QuickSearch field. + ([% terms.Bug %] 804505)
    • +
  • [% terms.Bugs %] with the resolution MOVED couldn't be edited anymore. + ([% terms.Bug %] 757935)
    • +
  • Editing dependencies from the "Change Several [% terms.Bugs %] at Once" + page didn't work as expected. [% terms.Bug %] IDs were incorrectly parsed. + ([% terms.Bug %] 790909)
    • +
  • The "Actual Hours" axis now works correctly in tabular and graphical reports. + ([% terms.Bug %] 794389)
    • +
  • checksetup.pl was failing to run if the Voting extension was + enabled on a fresh installation and some mandatory modules were missing. + ([% terms.Bug %] 652047)
    • +
  • [% terms.Bugzilla %] no longer crashes when viewing [% terms.abug %] while + a custom field is being added. + ([% terms.Bug %] 531243)
    • +
  • For improved security, we now send the "X-Content-Type-Options: nosniff" + and "X-XSS-Protection: block" headers with every response. + ([% terms.Bugs %] 671612 + and 680771)
    • +
+

4.2.3

This release fixes two security issues. See the @@ -129,7 +176,7 @@ ([% terms.Bug %] 768870)

  • Two minor CSRF vulnerabilities have been fixed which could let an attacker alter your default search criteria in the Advanced Search page. - ([% terms.Bugs %] 754672 + ([% terms.Bugs %] 754672 and 754673)
    • @@ -613,8 +660,8 @@ ([% terms.Bug %] 640719)
  • Email notifications about dependencies and flags had the wrong timestamp. - ([% terms.Bug %] 643910 - and ([% terms.Bug %] 652165)
    • + ([% terms.Bugs %] 643910 + and 652165)
  • You can now select "UTC" as a valid timezone in General Preferences. ([% terms.Bug %] 646209)
  • Automatic duplicate detection now works on PostgreSQL (although -- cgit v1.2.3-24-g4f1b From b07c28db46f93f57a25b1b0210761f257fd05fbd Mon Sep 17 00:00:00 2001 From: Koosha Khajeh Moogahi Date: Fri, 2 Nov 2012 13:45:33 +0100 Subject: Bug 807937: Fix POD r/a=LpSolit --- Bugzilla/Object.pm | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm index 422a2ffa5..70ca1a5f0 100644 --- a/Bugzilla/Object.pm +++ b/Bugzilla/Object.pm @@ -801,7 +801,7 @@ your own C subroutine in a subclass.) The name of the column that should be considered to be the unique "name" of this object. The 'name' is a B that uniquely identifies this Object in the database. Defaults to 'name'. When you specify -C<{name => $name}> to C, this is the column that will be +C<< {name => $name} >> to C, this is the column that will be matched against in the DB. =item C @@ -1089,8 +1089,9 @@ Notes: In order for this function to work in your subclass, your subclass's L must be of C type in the database. - Subclass Implementors: This function basically just - calls L, then +Subclass Implementors: + This function basically just calls + L, then L, and then finally L. So if you have a complex system that you need to implement, you can do it by calling these @@ -1283,9 +1284,9 @@ C<0> otherwise. Returns: A list of objects, or an empty list if there are none. - Notes: Note that you must call this as C<$class->get_all>. For - example, Cget_all>. - C will not work. + Notes: Note that you must call this as $class->get_all. For + example, Bugzilla::Keyword->get_all. + Bugzilla::Keyword::get_all will not work. =back -- cgit v1.2.3-24-g4f1b From fc3af9b31f71c93b4824e8558dda60e4d5efe6f5 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Fri, 2 Nov 2012 13:56:57 +0100 Subject: Fix typo --- Bugzilla/Object.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm index 70ca1a5f0..d4574abd2 100644 --- a/Bugzilla/Object.pm +++ b/Bugzilla/Object.pm @@ -964,7 +964,7 @@ for each placeholder in C, in order. This is to allow subclasses to have complex parameters, and then to translate those parameters into C and C when they -call C<$self->SUPER::new> (which is this function, usually). +call C<< $self->SUPER::new >> (which is this function, usually). If you try to call C outside of a subclass with the C and C parameters, Bugzilla will throw an error. These parameters -- cgit v1.2.3-24-g4f1b From aa7fbd9b8f7264d131aa53ae2b3f867b4e7b8fc7 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Fri, 2 Nov 2012 18:35:38 +0100 Subject: Bug 806012: Installation docs need to be updated with instructions for bzr r=dkl a=LpSolit --- docs/en/xml/customization.xml | 8 ++++---- docs/en/xml/installation.xml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/en/xml/customization.xml b/docs/en/xml/customization.xml index 9b62b1d0b..c1524e07d 100644 --- a/docs/en/xml/customization.xml +++ b/docs/en/xml/customization.xml @@ -110,14 +110,14 @@ The first method of making customizations is to directly edit the templates found in template/en/default. This is probably the best way to go about it if you are going to - be upgrading Bugzilla through CVS, because if you then execute - a cvs update, any changes you have made will + be upgrading Bugzilla through Bzr, because if you then execute + a bzr update, any changes you have made will be merged automagically with the updated versions. - If you use this method, and CVS conflicts occur during an + If you use this method, and Bzr conflicts occur during an update, the conflicted templates (and possibly other parts of your installation) will not work until they are resolved. @@ -143,7 +143,7 @@ The second method of customization should be used if you use the overwriting method of upgrade, because otherwise your changes will be lost. This method may also be better if - you are using the CVS method of upgrading and are going to make major + you are using the Bzr method of upgrading and are going to make major changes, because it is guaranteed that the contents of this directory will not be touched during an upgrade, and you can then decide whether to continue using your own templates, or make the effort to merge your diff --git a/docs/en/xml/installation.xml b/docs/en/xml/installation.xml index e9830e29c..2da3a8e79 100644 --- a/docs/en/xml/installation.xml +++ b/docs/en/xml/installation.xml @@ -191,8 +191,8 @@ Download a Bugzilla tarball - (or check it out from CVS) and place - it in a suitable directory, accessible by the default web server user + (or check it out from Bzr) + and place it in a suitable directory, accessible by the default web server user (probably apache or www). Good locations are either directly in the web server's document directories or in /usr/local with a symbolic link to the web server's -- cgit v1.2.3-24-g4f1b From a9624e2ce485a6de1edce381331ae1dd6f0185fe Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 3 Nov 2012 00:18:32 +0100 Subject: Bug 804505: Oracle crashes when typing "word1 word2" in QuickSearch with "ORA-29907: found duplicate labels in primary invocations" r=dkl a=LpSolit --- Bugzilla/Bug.pm | 7 ++----- Bugzilla/DB/Oracle.pm | 8 ++++++-- Bugzilla/Search.pm | 4 ++-- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 686828015..6a21b4e89 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -523,17 +523,14 @@ sub possible_duplicates { if ($dbh->FULLTEXT_OR) { my $joined_terms = join($dbh->FULLTEXT_OR, @words); ($where_sql, $relevance_sql) = - $dbh->sql_fulltext_search('bugs_fulltext.short_desc', - $joined_terms, 1); + $dbh->sql_fulltext_search('bugs_fulltext.short_desc', $joined_terms); $relevance_sql ||= $where_sql; } else { my (@where, @relevance); - my $count = 0; foreach my $word (@words) { - $count++; my ($term, $rel_term) = $dbh->sql_fulltext_search( - 'bugs_fulltext.short_desc', $word, $count); + 'bugs_fulltext.short_desc', $word); push(@where, $term); push(@relevance, $rel_term || $term); } diff --git a/Bugzilla/DB/Oracle.pm b/Bugzilla/DB/Oracle.pm index 4a69db16d..ebf59533f 100644 --- a/Bugzilla/DB/Oracle.pm +++ b/Bugzilla/DB/Oracle.pm @@ -56,6 +56,8 @@ use constant BLOB_TYPE => { ora_type => ORA_BLOB }; use constant MIN_LONG_READ_LEN => 32 * 1024; use constant FULLTEXT_OR => ' OR '; +our $fulltext_label = 0; + sub new { my ($class, $params) = @_; my ($user, $pass, $host, $dbname, $port) = @@ -171,11 +173,13 @@ sub sql_from_days{ return " TO_DATE($date,'J') "; } + sub sql_fulltext_search { - my ($self, $column, $text, $label) = @_; + my ($self, $column, $text) = @_; $text = $self->quote($text); trick_taint($text); - return "CONTAINS($column,$text,$label) > 0", "SCORE($label)"; + $fulltext_label++; + return "CONTAINS($column,$text,$fulltext_label) > 0", "SCORE($fulltext_label)"; } sub sql_date_format { diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index f0e015cbc..95f03a6ae 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -2348,9 +2348,9 @@ sub _content_matches { # Create search terms to add to the SELECT and WHERE clauses. my ($term1, $rterm1) = - $dbh->sql_fulltext_search("$table.$comments_col", $value, 1); + $dbh->sql_fulltext_search("$table.$comments_col", $value); my ($term2, $rterm2) = - $dbh->sql_fulltext_search("$table.short_desc", $value, 2); + $dbh->sql_fulltext_search("$table.short_desc", $value); $rterm1 = $term1 if !$rterm1; $rterm2 = $term2 if !$rterm2; -- cgit v1.2.3-24-g4f1b From 3005f1cc32b216a5298bc32e3668bb4a0c577baa Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 3 Nov 2012 18:53:41 +0100 Subject: Bug 805647: One more item for the 4.2.4 release notes --- template/en/default/pages/release-notes.html.tmpl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index 86a12af8d..277c61ff0 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -77,6 +77,9 @@ ([% terms.Bug %] 793826)
  • PostgreSQL 9.2 requires DBD::Pg 2.19.3. ([% terms.Bug %] 799721)
    • +
  • New databases created with PostgreSQL were sometimes not correctly encoded + as UTF8. + ([% terms.Bug %] 783786)
  • Oracle was crashing when listing keywords or flags in buglists. ([% terms.Bug %] 780053)
  • Oracle was crashing when typing several bare words in the QuickSearch field. -- cgit v1.2.3-24-g4f1b From 798135a6e855d992b734d002805ac4dd909be2cc Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 3 Nov 2012 19:58:26 +0100 Subject: Back out the last checkin, it was already there --- template/en/default/pages/release-notes.html.tmpl | 3 --- 1 file changed, 3 deletions(-) diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index 277c61ff0..86a12af8d 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -77,9 +77,6 @@ ([% terms.Bug %] 793826)
  • PostgreSQL 9.2 requires DBD::Pg 2.19.3. ([% terms.Bug %] 799721)
    • -
  • New databases created with PostgreSQL were sometimes not correctly encoded - as UTF8. - ([% terms.Bug %] 783786)
  • Oracle was crashing when listing keywords or flags in buglists. ([% terms.Bug %] 780053)
  • Oracle was crashing when typing several bare words in the QuickSearch field. -- cgit v1.2.3-24-g4f1b From fbb0dd18cbf1ddf2e63c2db7c0bce98001a704ea Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 13 Nov 2012 18:09:30 +0100 Subject: Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see r=dkl a=LpSolit --- template/en/default/bug/edit.html.tmpl | 12 ++++++------ template/en/default/bug/field-events.js.tmpl | 18 +++++++++++++++--- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl index bdee83806..fbc6e4a96 100644 --- a/template/en/default/bug/edit.html.tmpl +++ b/template/en/default/bug/edit.html.tmpl @@ -30,9 +30,8 @@ [% PROCESS bug/time.html.tmpl %] - +[% END %] +//--> +
    diff --git a/template/en/default/bug/field-events.js.tmpl b/template/en/default/bug/field-events.js.tmpl index 13ec18d38..f1d5afd32 100644 --- a/template/en/default/bug/field-events.js.tmpl +++ b/template/en/default/bug/field-events.js.tmpl @@ -24,11 +24,23 @@ #%] [% FOREACH controlled_field = field.controls_visibility_of %] + [% vis_names = [] %] + [% FOREACH visibility_value = controlled_field.visibility_values %] + [%# Exclude non-enterable products and components outside the current product. %] + [% NEXT IF field.name == "product" + && visibility_value.id != product.id + && !user.can_enter_product(visibility_value) %] + [% NEXT IF field.name == "component" && visibility_value.product_id != product.id %] + [% vis_names.push(visibility_value.name) %] + [% END %] + + [% NEXT UNLESS vis_names.size %] + showFieldWhen('[% controlled_field.name FILTER js %]', '[% field.name FILTER js %]', [ - [%- FOREACH visibility_value = controlled_field.visibility_values -%] - '[%- visibility_value.name FILTER js -%]'[% "," UNLESS loop.last %] - [%- END %] + [%~ FOREACH vis_name = vis_names ~%] + '[% vis_name FILTER js %]'[% "," UNLESS loop.last %] + [%~ END ~%] ]); [% END %] -- cgit v1.2.3-24-g4f1b From be126b5b3ce49ae4d3c1591cccca40cb369c4dd3 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 13 Nov 2012 18:23:13 +0100 Subject: Bug 802204 (CVE-2012-4197): [SECURITY] Marking an attachment you cannot see as obsolete can disclose its description r=gerv a=LpSolit --- Bugzilla/Attachment.pm | 3 --- template/en/default/global/code-error.html.tmpl | 3 +-- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm index b1f47d0cd..69939a657 100644 --- a/Bugzilla/Attachment.pm +++ b/Bugzilla/Attachment.pm @@ -723,11 +723,8 @@ sub validate_obsolete { $attachment->validate_can_edit($bug->product_id) || ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id }); - $vars->{'description'} = $attachment->description; - if ($attachment->bug_id != $bug->bug_id) { $vars->{'my_bug_id'} = $bug->bug_id; - $vars->{'attach_bug_id'} = $attachment->bug_id; ThrowCodeError('mismatched_bug_ids_on_obsolete', $vars); } diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index 73a602b87..24e46fb14 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -244,8 +244,7 @@ setting in [% constants.bz_locations.localconfig FILTER html %]. [% ELSIF error == "mismatched_bug_ids_on_obsolete" %] - Attachment [% attach_id FILTER html %] ([% description FILTER html %]) - is attached to [% terms.bug %] [%+ attach_bug_id FILTER html %], + Attachment [% attach_id FILTER html %] is attached to another [% terms.bug %], but you tried to flag it as obsolete while creating a new attachment to [%+ terms.bug %] [%+ my_bug_id FILTER html %]. -- cgit v1.2.3-24-g4f1b From 528016e235194489877c73835ad5296f2180440d Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 13 Nov 2012 18:36:33 +0100 Subject: Bug 781850 (CVE-2012-4198): [SECURITY] Do not leak the existence of groups when using User.get() r=dkl a=LpSolit --- Bugzilla/WebService/Constants.pm | 1 + Bugzilla/WebService/User.pm | 26 ++++++++++++++++++++------ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm index 59aab9b55..6274c3a78 100644 --- a/Bugzilla/WebService/Constants.pm +++ b/Bugzilla/WebService/Constants.pm @@ -166,6 +166,7 @@ use constant WS_ERROR_CODE => { group_exists => 801, empty_group_description => 802, invalid_regexp => 803, + invalid_group_name => 804, # Errors thrown by the WebService itself. The ones that are negative # conform to http://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index f8704a947..deb7518ec 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -233,12 +233,18 @@ sub _filter_users_by_group { # If no groups are specified, we return all users. return $users if (!$group_ids and !$group_names); + my $user = Bugzilla->user; + my @groups = map { Bugzilla::Group->check({ id => $_ }) } @{ $group_ids || [] }; - my @name_groups = map { Bugzilla::Group->check($_) } - @{ $group_names || [] }; - push(@groups, @name_groups); - + + if ($group_names) { + foreach my $name (@$group_names) { + my $group = Bugzilla::Group->check({ name => $name, _error => 'invalid_group_name' }); + $user->in_group($group) || ThrowUserError('invalid_group_name', { name => $name }); + push(@groups, $group); + } + } my @in_group = grep { $self->_user_in_any_group($_, \@groups) } @$users; @@ -586,10 +592,10 @@ C, C, and C items. =over -=item 51 (Bad Login Name or Group Name) +=item 51 (Bad Login Name or Group ID) You passed an invalid login name in the "names" array or a bad -group name/id in the C/C arguments. +group ID in the C argument. =item 304 (Authorization Required) @@ -601,6 +607,11 @@ wanted to get information about by user id. Logged-out users cannot use the "ids" or "match" arguments to this function. +=item 804 (Invalid Group Name) + +You passed a group name in the C argument which either does not +exist or you do not belong to it. + =back =item B @@ -614,6 +625,9 @@ function. =item C added in Bugzilla B<4.0>. Default behavior for C has changed to only returning enabled accounts. +=item Error 804 has been added in Bugzilla 4.0.9 and 4.2.4. It's now +illegal to pass a group name you don't belong to. + =back =back -- cgit v1.2.3-24-g4f1b From 47da30332c29a8ad25e4a07353d2adf3ef8c1280 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 13 Nov 2012 18:48:12 +0100 Subject: Bug 808845 (CVE-2012-5475): [SECURITY] Security vulnerability in YUI's swfstore.swf in YUI 2.8.2 and 2.9.0 a=LpSolit --- js/yui/swfstore/swfstore.swf | Bin 4879 -> 4841 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/js/yui/swfstore/swfstore.swf b/js/yui/swfstore/swfstore.swf index b2f5cd071..9c26ed137 100644 Binary files a/js/yui/swfstore/swfstore.swf and b/js/yui/swfstore/swfstore.swf differ -- cgit v1.2.3-24-g4f1b From 3a3636a8e51513cda6979bf13c02f573d1e9737f Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 13 Nov 2012 18:56:26 +0100 Subject: Bug 790296 (CVE-2012-4189): [SECURITY] Field values are not escaped correctly in tabular reports r=dkl a=LpSolit --- report.cgi | 2 +- template/en/default/reports/report-table.html.tmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/report.cgi b/report.cgi index cc43e66e4..5d5033b7d 100755 --- a/report.cgi +++ b/report.cgi @@ -354,5 +354,5 @@ sub get_field_restrictions { my $field = shift; my $cgi = Bugzilla->cgi; - return join('&', map {"$field=$_"} $cgi->param($field)); + return join('&', map {url_quote($field) . '=' . url_quote($_)} $cgi->param($field)); } diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl index 8a3ab9524..b41753550 100644 --- a/template/en/default/reports/report-table.html.tmpl +++ b/template/en/default/reports/report-table.html.tmpl @@ -102,7 +102,7 @@ YAHOO.util.Event.addListener(window, "load", function() { var myColumnDefs = [ {key:"row_title", label:"", sortable:true, sortOptions: { sortFunction:totalNumberSorter }}, [% FOREACH col = col_names %] - {key:"[% col FILTER js %]", label:"[% display_value(col_field, col) FILTER js %]", sortable:true, + {key:"[% col FILTER js %]", label:"[% display_value(col_field, col) FILTER html FILTER js %]", sortable:true, formatter:this.Linkify, sortOptions: { defaultDir: YAHOO.widget.DataTable.CLASS_DESC, sortFunction:totalNumberSorter }}, [% END %] {key:"total", label:"Total", sortable:true, formatter:this.LinkifyTotal, -- cgit v1.2.3-24-g4f1b From fbbd624a0d0958b1b7ece2e4286d2a4c73af0bc2 Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Tue, 13 Nov 2012 15:00:43 -0500 Subject: Bump version to 4.2.4 https://bugzilla.mozilla.org/show_bug.cgi?id=805644 --- Bugzilla/Constants.pm | 2 +- docs/en/xml/Bugzilla-Guide.xml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index b804372f1..2a21149b7 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.3+"; +use constant BUGZILLA_VERSION => "4.2.4"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml index 1ed72f64a..e8497962d 100644 --- a/docs/en/xml/Bugzilla-Guide.xml +++ b/docs/en/xml/Bugzilla-Guide.xml @@ -32,9 +32,9 @@ For a devel release, simple bump bz-ver and bz-date --> - + - + -- cgit v1.2.3-24-g4f1b From 442d6df4683b7219738bb799a3650dd8b9c8431f Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Tue, 13 Nov 2012 18:29:10 -0500 Subject: Bump version post-release https://bugzilla.mozilla.org/show_bug.cgi?id=805644 --- Bugzilla/Constants.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 2a21149b7..8056706b1 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.4"; +use constant BUGZILLA_VERSION => "4.2.4+"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; -- cgit v1.2.3-24-g4f1b