Review Board 1.7.22 Release Notes¶
Release date: March 3, 2014
An XSS vulnerability was found in the Search field’s auto-complete.
If a user had a first or last name with HTML in it, the HTML would be interpreted by the browser. This allowed crafting short scripts (up to 13 characters in length per field, due to the field length limits).
This release fixes the vulnerability.
The vulnerability was made public on multiple channels, and we decided to fast-track a release in order to allow administrators to quickly patch their systems.
Added support for anonymous access to public Local Sites.
Local Sites marked as public can now be accessed by anonymous users, if anonymous access is turned on for the installation.
Added support for parallel-installed versions of Django.
Newly generated sites (or sites that update their
reviewboard.wsgifiles) now function correctly if there are multiple versions of Django or another Review Board dependency on the system. The thread will ensure that Review Board will import the versions it’s compatible with, and not other versions found on the system.
Patch by Stephen Gallagher.
The documentation for Review Group Resource no longer says that review groups cannot be created through the API.
Fixed compatibility with Apache 2.4’s method for authorization in newly generated config files. Patch by Stephen Gallagher. (Bug #3210)
Fixed an issue on some configurations where loading in initial schema data for the database would fail. (Bug #3126)
rb-site upgrade --all-sites no longer throws an error if there are no valid sites configured. Patch by Stephen Gallagher.
Administrators now have access to all repositories, instead of just public ones or ones they’re a member of. (Bug #3118)
Repositories backed by paths that no longer exist can now be hidden. Previously, attempting to change the “Visible” checkbox would result in an error. (Bug #2361)
Fixed creating groups and repositories that had conflicting “unique” fields. (Bug #3066, Bug #3093)
Password fields no longer appear blank when they have a value in forms. This prevents them from having to be re-entered just to save the form. (Bug #3037, Bug #3167)
httpsin the server URL now properly marks the server as using HTTPS. All URLs generated for the API and e-mails will include
http. (Bug #3085, Bug #3246)
Fixed incorrect labeling for the review request status graph in the Admin dashboard.
The widget in the dashboard showing the percentage of all review requests mislabeled discarded review requests as draft review requests. This has been fixed, and proper support for draft review requests was added. (Bug #3270)
Fixed support for accessing watched groups through the Dashboard. Patch by Thom Gerdes. (Bug #3204)
Copied files in Git diffs no longer results in File Not Found errors, and properly handles showing the state much like moved files.
Added better compatibility with Mercurial repository when accessing
hg-historyURLs, when the server name didn’t contain a trailing slash. (Bug #3216)
Added better CVS compatibility for repositories that don’t contain
CVSROOT/modules. (Bug #1986)
Fixed issues with Clear Case in multi-site mode when OIDs weren’t yet available on the server. Patch by Nicolas Dély. (Bug #3183)