Review Board 2.5.3 Release Notes¶
Release date: February 22, 2016
This release fixes two security issues we discovered this week in Review Board, which may impact installations that make use of private review requests (through invite-only review groups, private repositories, Local Site functionality.)
If a user had access to a review request, it could access the file attachments, legacy screenshots, and review request update metadata of another review request, even those that were private. This required either a brute-force attempt at looking up database IDs, or pre-existing knowledge of those IDs.
CVEs are pending.
Added tooltips to the file summary graphs in the diff viewer file list. (Bug #3812)
The small circular graphs which show a summary of the size and type of changes to each file now have tooltips that list the exact number of added, removed, or changed lines.
Patch by Evan Huntzinger.
Allow using unix sockets for memcached.
The cache backend now supports the
Patch by André Klitzing.
Improved the look and feel on mobile devices.
The look of the header and menu on mobile devices has been improved.
JSExtension) used to output all of an extension’s stored settings into the page. Extensions that want to limit that data, or provide a custom set of extension settings data, can override this using
Diff validation now includes more detailed error messages.
If a diff fails to validate due to an error communicating with the repository, the reported error would be that the diff could not be parsed. The Validate Diff List Resource now reports a much more detailed error that actually explains what went wrong.
Fix errors caused by trailing commas in a column sorting definition.
Some search crawlers such as Bingbot can attempt to load a datagrid with a sort column list that had a trailing comma, causing a crash. This now filters out any invalid column names.
Correctly render Markdown in the “Changes” field. (Bug #3974)
The change description text was rendered as Markdown in the Web UI, but was being shown as markdown source in e-mails.
Patch by Griffin Myers.
Repositories using git URLs with inline authentication credentials can now be successfully added.
Patch by Matt Comben.
Fix incorrect “Are you sure you want to leave this page” pop-ups on Firefox. (Bug #3727)
Editing fields in Firefox could cause an issue where the unsaved changes confirmation box was shown even when there were no unsaved changes.
Patch by Mike Conley.
Fix the display of legacy screenshots. (Bug #4010)
Old Review requests which used the old “screenshot” feature were not displaying properly. These have now been fixed to display the same as the more modern file attachments.
Fixed the display of Start Over in the Update Diff UI. (Bug #4034)
The Start Over link was being shown outside of the pop-up box instead of inside.
Patch by Sam Churney.
Fixed redirection when bug tracker URLs used a non-standard scheme. (Bug #4080).
If a configured bug URL had a non-standard URL scheme (such as
bugs://some/path?id=%s), the redirect would fail.
Patch by Shaurya Sengar.
Fixed the display of the Send e-mail only to the mailing list field.
In 2.5, groups gained the ability to send e-mail to the individual group members in addition to the mailing list (the default behavior is still to send only to the configured mailing list if present). This was hidden because a bug was preventing the field from being shown in the admin UI.
Fixed very long load times for the DiffSet admin pages.
A couple fields in the DiffSet admin page were creating very large
<select>elements involving huge database queries. These have been updated to use a different widget that does not place such a burden on the server.
Fix JSON serialization for new diffs. (Bug #4042)
Review request updates which contained a new diff would fail to trigger any configured Webhooks due to a serialization error.