Review Board 2.5.10 Release Notes¶
Release date: April 2, 2017
This release addresses a XSS security vulnerability found in a link used by the diff viewer to open a draft comment field in the review request page. The client-side code handling that link wasn’t properly validating the input, allowing malicious content to be provided.
This was reported and fixed by Anthony Steinhauser.
Reporting Security Vulnerabilities¶
Security vulnerabilities can be reported by filing a bug and choosing Security issue or by e-mailing email@example.com. Patches can be sent by posting a review request to https://reviews.reviewboard.org and choosing only the “security” review group. These methods ensure security vulnerabilities are sent safely and confidentially to the Review Board team.
setup.pycommand for generating
This can be used by packagers to generate a file used to fetch node.js dependencies needed to build the package.
Made our python-dateutil dependency requirement less strict.
For historical reasons, we once had to cap our
python-dateutildependency to 1.5. This is no longer the case. Now, 1.5 or any version newer than 2.0 is compatible with Review Board.
Added a dependency on cryptography.
We used to use PyCrypto for our cryptography support. PyCrypto is no longer maintained. We now use cryptography instead, which is maintained and easier to install when using pip.
Fixed displaying a confirmation prompt when attempting to leave the page when there’s unsaved changes to reviews or replies. (Bug #4084)
Patch by Kanghee Park.
Fixed links in the move detection flags going to the wrong place.
The “Moved From” and “Moved To” flags shown in the diff viewer for moved content could end up jumping to the wrong place if a “Moved From” flag and a “Moved To” flag had the same line numbers.
A moved line in the original file can no longer point to multiple moved lines in the modified file. (Bug #4371)
Expanding lines in a diff no longer duplicates the “This file contains only whitespace changes” header. (Bug #4422)
Fixed saving review groups containing inactive members. (Bug #4513)
Rewrote the Bazaar backend for better compatibility and license compliance. (Bug #4535)
The original code was calling into the Bazaar API to register SSH support, which was not license-compliant. We’ve rewritten the Bazaar support to use the command line tool instead, offering SSH support through a GPL plugin, improving compatibility and ensuring we stay license-compliant going forward.
Updated to use the Bitbucket 2.0 API, fixing several confusing bugs.
Up until recently, the Bitbucket API was split into 1.0 and 2.0, with the 2.0 API only containing a small subset of the 1.0 API, and the 1.0 API having a number of bugs with error reporting, branch fetching, and more. Now that the 2.0 API has matured, we’ve moved over to it entirely, providing a smoother experience when using Bitbucket.
Fixed error messages on the New Review Request page when using Mercurial versions older than 3.9. (Bug #4524)
Patch by André Klitzing.
Fixed problems calling out to hg when Review Board and Mercurial were installed using different versions of Python.
Fixed detecting Mercurial support when Review Board and Mercurial were installed using different versions of Python.
Improved support for parsing Subversion diffs generated by third-party IDEs from IntelliJ and others.