Review Board 4.0.2 Release Notes¶
Release date: June 15, 2021
The attacker would need to be someone who already has legitimate access to your server and can post Markdown documents for review.
We recommend that everyone (especially those running public servers) upgrades to address this vulnerability, though the seriousness of the issue will vary from company to company.
Added support for custom URL protocols in Markdown-rendered HTML.
The recent changes to sanitize Markdown rendering removed the ability to use any arbitrary protocol in a URL (such as ones that would open links in an installed app).
Administrators can now define protocols that are considered safe in
settings_local.py. For example:
ALLOWED_MARKDOWN_URL_PROTOCOLS = ['gopher', 'ftp', 'eclipse']
- Sped up some database queries used when performing access control checks for review requests.
Session and CSRF cookies are now properly set as “Secure” when Review Board is configured for HTTPS.
This avoids warnings and future behavioral changes in browsers.
- Fixed a crash that could occur with some invalid characters in e-mail addresses.
- Files represented in diffs with a
(nonexistent)revision are now treated as deleted.
- Christian Hammond
- David Trowbridge