Review Board 2.0.4 Release Notes¶
Release date: July 22, 2014
This release fixes a couple of security vulnerabilities that came to our attention. These have not been publicly disclosed.
Fixed a vulnerability where a URL to a diff fragment could be crafted that would inject custom HTML into the page. An attacker could send such a URL to another user and execute code in their browser session.
This was reported by Uchida. A CVE number is pending.
The Original File and Patched File resources could be used to access files on a private review request that the user did not have access to, if they knew the approciate database IDs.
A CVE number is pending.
Added support for parent diffs in the New Review Request page.
When uploading a diff, Review Board will now detect if a parent diff is needed for the patch to apply. If so, the user will be shown an appropriate error and then shown fields for uploading a parent diff.
- Updated the Italian translations.
- Fixed the URL to the Recaptcha registration page. (Bug #3471)
- Fixed the command line used for
update_indexin the example crontab.
Fixed the display of errors when failing to publish a draft review request.
Patch by Mark Côté.
When uploading file attachments, malformed mimetypes provided by the browser will be ignored, and a proper mimetype will be guessed. (Bug #3427)
Long strings in the right-hand review request fields no longer cause fields to overlap. (Bug #3371)
Fixed the display of errors in the Upload Diff and Add File dialogs. (Bug #3413)
- Fixed a Unicode compatibility issue when fetching files using PySVN.
- Christian Hammond
- David Trowbridge
- Mark Côté