New Review Board 2.0.31 and 2.5.16 security releases

We have two new security releases for you today, both fixing security issues reported to us by security researcher Dylan Ayrey. There's also a few bug fixes for GitLab and Subversion, and some improvements for the Administration UI's Security Checklist.

Security Fixes

Dylan reported two vulnerabilities that could be used to execute JavaScript code on a user's behalf:

  1. If a text field contains a plain-text javascript: URL, it would be turned into a link that, when clicked, would execute JavaScript on the user's behalf. These links would be pretty long and were easily identifiable, making it less likely that users would be tricked into clicking them (and could not be masked using Markdown links). We've altered the linking behavior to only link certain known types of safe URLs.

  2. When clicking Download on a file attachment, the browser may choose to render certain file types in the browser. This includes SVG files, which can include JavaScript. If the media files are served up on the same domain used for Review Board (which is the default behavior), as opposed to a CDN or dedicated domain, then users could be at risk when downloading SVG files.

    We now generate Apache configuration files that add a Content-Disposition: attachment header to all media files, forcing them to download. If you're not using a standard Apache setup, you may need to modify your configuration to add this header.

    You can visit the Security Checklist to make sure this header is being set.

GitLab and Subversion Fixes

Review Board 2.0.31 and 2.5.16 include fixes for working with changes on GitLab. Both fix issues viewing diffs against files containing Unicode characters, and 2.5.16 includes a fix for creating/modifying repositories for self-hosted GitLab servers.

2.5.16 also includes a fix for the New Review Request page when there are problems talking to Subversion repositories. Errors are now reported, instead of the page reporting a generic "Internal Server Error."

See the 2.0.31 and 2.5.16 release notes for more information on these releases, along with upgrade instructions.