Review Board 1.7.29 Release Notes¶
Release date: February 22, 2016
To upgrade to Review Board 1.7.29, run:
This release fixes two security issues we discovered this week in Review Board, which may impact installations that make use of private review requests (through invite-only review groups, private repositories, Local Site functionality.)
If a user had access to a review request, it could access the file attachments, legacy screenshots, and review request update metadata of another review request, even those that were private. This required either a brute-force attempt at looking up database IDs, or pre-existing knowledge of those IDs.
CVEs are pending.
Added an is_enabled_for mechanism for
NavigationBarHookcan now decide whether or not to enable itself for each user.
Make it easier to copy the Install Key on Firefox.
Firefox does not allow users to select and copy the contents of a “disabled” text input, which made it difficult to copy the Install Key. We’ve fixed this so you can now select and copy it to the clipboard.
Fix a syntax bug in the old
SequenceMatcherdiff method is only used in very old review requests, but for those, they were unable to be loaded due to a syntax error. This has been fixed.
Fix Python 2.4/2.5 compatibility with the Pygments dependency.
Pygments 2.0 dropped support for Python 2.4 and 2.5. Review Board now intelligently limits the dependency version when running on older Python versions.
Fix Python 2.6 compatibility for the condensediffs management command.
Review Board 1.7.28 introduced this command, but a bug was preventing it from working when using Python 2.6.
Prevent updating a closed review request.
After a review request was closed, it still had a fully-functioning “Update” menu, which allowed new diffs and file attachments to be added. This has been fixed, and all updates are now prevented until the review request is reopened.
- Barret Rennie
- Christian Hammond
- David Trowbridge