Jump to >

Review Board 1.7.29 Release Notes

Release date: February 22, 2016

Upgrade Instructions

To upgrade to Review Board 1.7.29, run:

easy_install ReviewBoard==1.7.29

Security Updates

This release fixes two security issues we discovered this week in Review Board, which may impact installations that make use of private review requests (through invite-only review groups, private repositories, Local Site functionality.)

If a user had access to a review request, it could access the file attachments, legacy screenshots, and review request update metadata of another review request, even those that were private. This required either a brute-force attempt at looking up database IDs, or pre-existing knowledge of those IDs.

CVEs are pending.

Extensions

  • Added an is_enabled_for mechanism for NavigationBarHook.

    NavigationBarHook can now decide whether or not to enable itself for each user.

Bug Fixes

  • Make it easier to copy the Install Key on Firefox.

    Firefox does not allow users to select and copy the contents of a “disabled” text input, which made it difficult to copy the Install Key. We’ve fixed this so you can now select and copy it to the clipboard.

  • Fix a syntax bug in the old SequenceMatcher differ.

    The SequenceMatcher diff method is only used in very old review requests, but for those, they were unable to be loaded due to a syntax error. This has been fixed.

  • Fix Python 2.4/2.5 compatibility with the Pygments dependency.

    Pygments 2.0 dropped support for Python 2.4 and 2.5. Review Board now intelligently limits the dependency version when running on older Python versions.

  • Fix Python 2.6 compatibility for the condensediffs management command.

    Review Board 1.7.28 introduced this command, but a bug was preventing it from working when using Python 2.6.

  • Prevent updating a closed review request.

    After a review request was closed, it still had a fully-functioning “Update” menu, which allowed new diffs and file attachments to be added. This has been fixed, and all updates are now prevented until the review request is reopened.

Contributors

  • Barret Rennie
  • Christian Hammond
  • David Trowbridge