Today's releases of Review Board 3.0.24 and 4.0.2 fix a handful of bugs and one security issue, and introduces support for defining safe URL protocols for Markdown text.
Security Fix for Markdown Review UI
Though this is a pretty small attack vector, we do strongly recommend that everyone upgrades as a precaution.
Custom URL Protocols
Administrators can now set a list of URL protocols (like
gopher://, etc.) they consider safe for their environment by modifying
conf/settings_local.py: These will then be preserved when building links. For example:
ALLOWED_MARKDOWN_URL_PROTOCOLS = ['eclipse', 'ftp', 'gopher']
There are also fixes for:
- Marking session and CSRF cookies as secure
- Handling Subversion diffs with
- Markdown rendering of e-mail addresses
- Connecting to GitLab (in Review Board 4.0.2)
Note: If you're upgrading to 3.0.24, please follow the installation instructions in the release notes so you don't end up on 4.0.2.