Jump to >

Review Board 1.7.22 Release Notes

Release date: March 3, 2014

Security Fixes

  • An XSS vulnerability was found in the Search field’s auto-complete.

    If a user had a first or last name with HTML in it, the HTML would be interpreted by the browser. This allowed crafting short scripts (up to 13 characters in length per field, due to the field length limits).

    This release fixes the vulnerability.

    The vulnerability was made public on multiple channels, and we decided to fast-track a release in order to allow administrators to quickly patch their systems.

    Bug #3274

New Features

  • Added support for anonymous access to public Local Sites.

    Local Sites marked as public can now be accessed by anonymous users, if anonymous access is turned on for the installation.

  • Added support for parallel-installed versions of Django.

    Newly generated sites (or sites that update their reviewboard.wsgi files) now function correctly if there are multiple versions of Django or another Review Board dependency on the system. The thread will ensure that Review Board will import the versions it’s compatible with, and not other versions found on the system.

    Patch by Stephen Gallagher.

API Changes

  • The documentation for Review Group Resource no longer says that review groups cannot be created through the API.

Bug Fixes


  • Fixed compatibility with Apache 2.4’s method for authorization in newly generated config files. Patch by Stephen Gallagher. (Bug #3210)

  • Fixed an issue on some configurations where loading in initial schema data for the database would fail. (Bug #3126)

  • rb-site upgrade --all-sites no longer throws an error if there are no valid sites configured. Patch by Stephen Gallagher.


  • Administrators now have access to all repositories, instead of just public ones or ones they’re a member of. (Bug #3118)

  • Repositories backed by paths that no longer exist can now be hidden. Previously, attempting to change the “Visible” checkbox would result in an error. (Bug #2361)

  • Fixed creating groups and repositories that had conflicting “unique” fields. (Bug #3066, Bug #3093)

  • Password fields no longer appear blank when they have a value in forms. This prevents them from having to be re-entered just to save the form. (Bug #3037, Bug #3167)

  • Setting https in the server URL now properly marks the server as using HTTPS. All URLs generated for the API and e-mails will include https instead of http. (Bug #3085, Bug #3246)

  • Fixed incorrect labeling for the review request status graph in the Admin dashboard.

    The widget in the dashboard showing the percentage of all review requests mislabeled discarded review requests as draft review requests. This has been fixed, and proper support for draft review requests was added. (Bug #3270)


  • Usernames, passwords, and other information are properly encoded to UTF-8 before authenticating. (Bug #3256)

  • Users without e-mail addresses in LDAP no longer break when first authenticating. (Bug #3257)


  • Fixed support for accessing watched groups through the Dashboard. Patch by Thom Gerdes. (Bug #3204)


  • Copied files in Git diffs no longer results in File Not Found errors, and properly handles showing the state much like moved files.

  • Added better compatibility with Mercurial repository when accessing hg-history URLs, when the server name didn’t contain a trailing slash. (Bug #3216)

  • Added better CVS compatibility for repositories that don’t contain CVSROOT/modules. (Bug #1986)

  • Fixed issues with Clear Case in multi-site mode when OIDs weren’t yet available on the server. Patch by Nicolas Dély. (Bug #3183)


  • Christian Hammond

  • David Trowbridge

  • Nicolas Dély

  • Stephen Gallagher

  • Thom Gerdes