Jump to >

Review Board 2.0.28 Release Notes

Release date: April 2, 2017

Security Updates

This release addresses a XSS security vulnerability found in a link used by the diff viewer to open a draft comment field in the review request page. The client-side code handling that link wasn’t properly validating the input, allowing malicious content to be provided.

This was reported and fixed by Anthony Steinhauser.

Reporting Security Vulnerabilities

Security vulnerabilities can be reported by filing a bug and choosing Security issue or by e-mailing security@beanbaginc.com. Patches can be sent by posting a review request to https://reviews.reviewboard.org and choosing only the “security” review group. These methods ensure security vulnerabilities are sent safely and confidentially to the Review Board team.

Upgrade Instructions

To upgrade to Review Board 2.0.28, run:

pip install ReviewBoard==2.0.28

or:

easy_install ReviewBoard==2.0.28

Packaging

  • Added a setup.py command for generating package.json files.

    This can be used by packagers to generate a file used to fetch node.js dependencies needed to build the package.

  • The minimum version of Pygments has been bumped to 2.1.

    This is needed for some HTML processing that must be done. The processing was not always correct on older versions.

Bug Fixes

Diff Viewer

  • Fixed links in the move detection flags going to the wrong place.

    The “Moved From” and “Moved To” flags shown in the diff viewer for moved content could end up jumping to the wrong place if a “Moved From” flag and a “Moved To” flag had the same line numbers.

  • A moved line in the original file can no longer point to multiple moved lines in the modified file. (Bug #4371)

  • Expanding lines in a diff no longer duplicates the “This file contains only whitespace changes” header. (Bug #4422)

Bazaar

  • Rewrote the Bazaar backend for better compatibility and license compliance. (Bug #4535)

    The original code was calling into the Bazaar API to register SSH support, which was not license-compliant. We’ve rewritten the Bazaar support to use the command line tool instead, offering SSH support through a GPL plugin, improving compatibility and ensuring we stay license-compliant going forward.

Mercurial

  • Fixed problems calling out to hg when Review Board and Mercurial were installed using different versions of Python.
  • Fixed detecting Mercurial support when Review Board and Mercurial were installed using different versions of Python.

Subversion

  • Improved support for parsing Subversion diffs generated by third-party IDEs from IntelliJ and others.

Contributors

  • Anthony Steinhauser
  • Barret Rennie
  • Christian Hammond