Jump to >
Review Board 4.0.3: Bug Fixes Galore

Review Board 4.0.3 fixes an assortment of bugs throughout the product, some of which are specific to running on Python 3. The highlights include:

  • Sending e-mails with long Unicode subjects
  • Posting messages to Slack and Mattermost
  • Triggering builds on Jenkins
  • Looking up files from GitWeb or HgWeb
  • Scrolling in the comment dialog
  • Filtering repositories and loading commits in the New Review Request page
  • Adding groups as reviewers when Depends On is set
  • Displaying validation errors when configuring repositories or WebHooks

For the full list of changes, see the release notes.

Review Board 4.0.2 and 3.0.24: Security and Bug Fixes

Today's releases of Review Board 3.0.24 and 4.0.2 fix a handful of bugs and one security issue, and introduces support for defining safe URL protocols for Markdown text.

Security Fix for Markdown Review UI

Attackers could post a Markdown document for review that contained bad links that, when clicked, could invoke JavaScript code. We fixed a similar issue in 3.0.21, but this is specific to the Markdown Review UI.

Though this is a pretty small attack vector, we do strongly recommend that everyone upgrades as a precaution.

Custom URL Protocols

Administrators can now set a list of URL protocols (like eclipse://. ftp://, gopher://, etc.) they consider safe for their environment by modifying conf/settings_local.py: These will then be preserved when building links. For example:

ALLOWED_MARKDOWN_URL_PROTOCOLS = ['eclipse', 'ftp', 'gopher']

Bug Fixes

There are also fixes for:

  • Marking session and CSRF cookies as secure
  • Handling Subversion diffs with (nonexistent) revisions
  • Markdown rendering of e-mail addresses
  • Connecting to GitLab (in Review Board 4.0.2)

See the 3.0.24 release notes and 4.0.2 release notes for the full lists of changes.

Note: If you're upgrading to 3.0.24, please follow the installation instructions in the release notes so you don't end up on 4.0.2.