Jump to >

Review Board 2.5.16 Release Notes

Release date: September 12, 2017

Security Updates

This release fixes two security vulnerabilities. Thanks to Dylan Ayrey for reporting and discussing these issues with us.

  • URLs beginning with javascript: in text fields were being turned into clickable links, which could be used to run malicious code on a user’s behalf if clicked. We no longer convert these into links.

  • Attempting to download an SVG file attachment would default to displaying it in the web browser, allowing any malicious JavaScript within the SVG to load and run on the user’s behalf when served from a standard Review Board install. (If you use a CDN hosted on a separate domain, you are not at risk.)

    We now force all file attachments to download when clicking Download or when accessing its URL directly in the browser. This applies only to new and existing Apache-based installs. If using Nginx or a custom server configuration, you will need to ensure that all uploaded media files are served with a Content-Disposition: attachment header.

We also fixed an issue that could cause uploaded file security checks in the Security Checklist page to fail.

We recommend that everyone upgrade at their earliest convenience in order to stay secure. Please also view the Security Checklist in the administration UI once you have upgraded and make sure that all tests have passed.

Reporting Security Vulnerabilities

Security vulnerabilities can be reported by filing a bug and choosing Security issue or by e-mailing security@beanbaginc.com. Patches can be sent by posting a review request to https://reviews.reviewboard.org and choosing only the “security” review group. These methods ensure security vulnerabilities are sent safely and confidentially to the Review Board team.

Bug Fixes

GitLab

  • Fixed viewing diffs of files on GitLab that contain Unicode characters.
  • Fixed HTTP 502 Bad Gateway errors when authenticating or communication with GitLab in some configurations.

Subversion

  • Errors viewing the commit list when talking to a Subversion repository are now captured and shown on the page, instead of triggering crashes and error e-mails.

Contributors

  • Christian Hammond
  • Dylan Ayrey