Review Board 6.0.2 Release Notes¶
Release date: January 16, 2024
Review Board 6.0.2 is compatible with Python 3.8 - 3.12.
Follow our installation guide to prepare your system for Review Board or to upgrade your existing install.
To install this release, run:
$ pip3 install ReviewBoard==6.0.2
To learn more, see:
For assistance with your server, talk to us about support.
Fixed a security vulnerability allowing users with legitimate access to a server to craft API requests for private diff content.
During an internal audit of our API, we discovered it was possible for a user to construct an HTTP request to diff-related APIs and retrieve diff content when the user lacked permission to access the review request (such as when the review request is in a draft or on a private repository). This was due to a logic error preventing common access checks from being skipped for these APIs.
Only users with legitimate access to a server could access this diff content. Non-draft diffs required use of internal database IDs in order to be accessed.
We are not aware of any incidents regarding this issue, but we consider it a severe issue for companies utilizing private repositories and recommend that all server administrators upgrade immediately.
To address this, and prevent future issues, we’ve done the following:
We’ve fixed this issue across Review Board 3, 4, 5, and 6.
We’ve reached out to affected customers with Premium Support contracts to send patches for their versions.
We’ve enhanced our test suite to check for these kinds of issues across all APIs, automatically.
We’ve completed an audit of all the API resources we provide.
We’re in the process of reworking how our APIs are implemented so that access checks are handled by the common API layer and not per-API implementation, making this kind of issue impossible.
Clicking Log In on the Log Out page will no longer redirect back to the Log Out page.
This previously would log the user back out again. Now the user is taken to their dashboard.
Similarly, logging in from the Log In page will no longer take you back to that page.
Fixed batch review request operations in the Dashboard on servers using Local Sites.
Empty reviews will no longer be published.
Now any draft reviews that were created but never populated with comments or any text will be silently discarded when publishing. This restores the original behavior of reviews prior to Review Board 6.
Fixed posting diffs against some repository types on the New Review Request page. (Bug #5013)
Fixed uploading diffs against some repository types in the Update Diff dialog. (Bug #5013)
Fixed publishing drafts on servers using Local Sites.
Fixed validation issues when switching search backends.
Fixed text alignment in the Server Cache administration dashboard widget.
Fixed wrapping of long repository names in the Repositories administration dashboard widget.