From 458aca660809144eb9b2c3d84cff103d00dac7c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Sun, 6 Mar 2016 16:45:25 +0100 Subject: IIS instructions work with Windows 10 too --- docs/en/rst/installing/iis.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/en/rst/installing/iis.rst b/docs/en/rst/installing/iis.rst index 1670db5f5..320b8f73c 100644 --- a/docs/en/rst/installing/iis.rst +++ b/docs/en/rst/installing/iis.rst @@ -4,7 +4,8 @@ Microsoft IIS ############# Bugzilla works with IIS as a normal CGI application. These instructions assume -that you are using Windows 7. Procedures for other versions are probably similar. +that you are using Windows 7 or Windows 10. Procedures for other versions are +probably similar. Begin by starting Internet Information Services (IIS) Manager. :guilabel:`Start` --> :guilabel:`Administrators Tools` --> -- cgit v1.2.1 From eb323eb6db292aa9fb705ceaff9c94b3a7a74c4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Wed, 9 Mar 2016 23:06:28 +0100 Subject: Bug 1234977: Replace \d+ by [0-9]+ in critical validation places r=dylan a=dkl --- Bugzilla/Bug.pm | 14 +++++++------- Bugzilla/DB/Schema/Mysql.pm | 2 +- Bugzilla/Template.pm | 16 ++++++++-------- Bugzilla/Util.pm | 4 ++-- process_bug.cgi | 7 ++++--- 5 files changed, 22 insertions(+), 21 deletions(-) diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 34bf95ff7..8b4493f85 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -305,15 +305,15 @@ sub new { my $param = shift; # Remove leading "#" mark if we've just been passed an id. - if (!ref $param && $param =~ /^#(\d+)$/) { + if (!ref $param && $param =~ /^#([0-9]+)$/) { $param = $1; } # If we get something that looks like a word (not a number), # make it the "name" param. if (!defined $param - || (!ref($param) && $param !~ /^\d+$/) - || (ref($param) && $param->{id} !~ /^\d+$/)) + || (!ref($param) && $param !~ /^[0-9]+$/) + || (ref($param) && $param->{id} !~ /^[0-9]+$/)) { if ($param) { my $alias = ref($param) ? $param->{id} : $param; @@ -556,15 +556,15 @@ sub _extract_bug_ids { my $s = $comment->already_wrapped ? qr/\s/ : qr/\h/; my $text = $comment->body; # Full bug links - push @bug_ids, $text =~ /\b$urlbase_re\Qshow_bug.cgi?id=\E(\d+)(?:\#c\d+)?/g; + push @bug_ids, $text =~ /\b$urlbase_re\Qshow_bug.cgi?id=\E([0-9]+)(?:\#c[0-9]+)?/g; # bug X - my $bug_re = qr/\Q$bug_word\E$s*\#?$s*(\d+)/i; + my $bug_re = qr/\Q$bug_word\E$s*\#?$s*([0-9]+)/i; push @bug_ids, $text =~ /\b$bug_re/g; # bugs X, Y, Z - my $bugs_re = qr/\Q$bugs_word\E$s*\#?$s*(\d+)(?:$s*,$s*\#?$s*(\d+))+/i; + my $bugs_re = qr/\Q$bugs_word\E$s*\#?$s*([0-9]+)(?:$s*,$s*\#?$s*([0-9]+))+/i; push @bug_ids, $text =~ /\b$bugs_re/g; # Old duplicate markers - push @bug_ids, $text =~ /(?<=^\*\*\*\ This\ bug\ has\ been\ marked\ as\ a\ duplicate\ of\ )(\d+)(?=\ \*\*\*\Z)/; + push @bug_ids, $text =~ /(?<=^\*\*\*\ This\ bug\ has\ been\ marked\ as\ a\ duplicate\ of\ )([0-9]+)(?=\ \*\*\*\Z)/; } # Make sure to filter invalid bug IDs. @bug_ids = grep { $_ < MAX_INT_32 } @bug_ids; diff --git a/Bugzilla/DB/Schema/Mysql.pm b/Bugzilla/DB/Schema/Mysql.pm index 0195fcb06..7ff8ade9f 100644 --- a/Bugzilla/DB/Schema/Mysql.pm +++ b/Bugzilla/DB/Schema/Mysql.pm @@ -316,7 +316,7 @@ sub column_info_to_column { $default = 0 if $default =~ /^0\.0+$/; # If we're not a number, we're a string and need to be # quoted. - $default = $dbh->quote($default) if !($default =~ /^(-)?(\d+)(.\d+)?$/); + $default = $dbh->quote($default) if !($default =~ /^(-)?([0-9]+)(\.[0-9]+)?$/); $column->{DEFAULT} = $default; } } diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index ce027171b..8104f6f1f 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -232,7 +232,7 @@ sub quoteUrls { ~$1$2~igx; # attachment links - $text =~ s~\b(attachment$s*\#?$s*(\d+)(?:$s+\[details\])?) + $text =~ s~\b(attachment$s*\#?$s*([0-9]+)(?:$s+\[details\])?) ~($things[$count++] = get_attachment_link($2, $1, $user)) && ("\x{FDD2}" . ($count-1) . "\x{FDD3}") ~egmxi; @@ -245,9 +245,9 @@ sub quoteUrls { # Also, we can't use $bug_re?$comment_re? because that will match the # empty string my $bug_word = template_var('terms')->{bug}; - my $bug_re = qr/\Q$bug_word\E$s*\#?$s*(\d+)/i; + my $bug_re = qr/\Q$bug_word\E$s*\#?$s*([0-9]+)/i; my $comment_word = template_var('terms')->{comment}; - my $comment_re = qr/(?:\Q$comment_word\E|comment)$s*\#?$s*(\d+)/i; + my $comment_re = qr/(?:\Q$comment_word\E|comment)$s*\#?$s*([0-9]+)/i; $text =~ s~\b($bug_re(?:$s*,?$s*$comment_re)?|$comment_re) ~ # We have several choices. $1 here is the link, and $2-4 are set # depending on which part matched @@ -261,29 +261,29 @@ sub quoteUrls { my $bugs_word = template_var('terms')->{bugs}; my $bugs_re = qr/\Q$bugs_word\E$s*\#?$s* - \d+(?:$s*,$s*\#?$s*\d+)+/ix; + [0-9]+(?:$s*,$s*\#?$s*[0-9]+)+/ix; $text =~ s{($bugs_re)}{ my $match = $1; - $match =~ s/((?:#$s*)?(\d+))/get_bug_link($2, $1);/eg; + $match =~ s/((?:#$s*)?([0-9]+))/get_bug_link($2, $1);/eg; $match; }eg; my $comments_word = template_var('terms')->{comments}; my $comments_re = qr/(?:comments|\Q$comments_word\E)$s*\#?$s* - \d+(?:$s*,$s*\#?$s*\d+)+/ix; + [0-9]+(?:$s*,$s*\#?$s*[0-9]+)+/ix; $text =~ s{($comments_re)}{ my $match = $1; - $match =~ s|((?:#$s*)?(\d+))|$1|g; + $match =~ s|((?:#$s*)?([0-9]+))|$1|g; $match; }eg; # Old duplicate markers. These don't use $bug_word because they are old # and were never customizable. $text =~ s~(?<=^\*\*\*\ This\ bug\ has\ been\ marked\ as\ a\ duplicate\ of\ ) - (\d+) + ([0-9]+) (?=\ \*\*\*\Z) ~get_bug_link($1, $1, { user => $user }) ~egmx; diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 037b38648..bbf4261ca 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -49,13 +49,13 @@ sub trick_taint { } sub detaint_natural { - my $match = $_[0] =~ /^(\d+)$/; + my $match = $_[0] =~ /^([0-9]+)$/; $_[0] = $match ? int($1) : undef; return (defined($_[0])); } sub detaint_signed { - my $match = $_[0] =~ /^([-+]?\d+)$/; + my $match = $_[0] =~ /^([-+]?[0-9]+)$/; # The "int()" call removes any leading plus sign. $_[0] = $match ? int($1) : undef; return (defined($_[0])); diff --git a/process_bug.cgi b/process_bug.cgi index 216dfbf1b..0b0ecd64e 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -305,9 +305,10 @@ if (defined $cgi->param('id')) { my %is_private; foreach my $field (grep(/^defined_isprivate/, $cgi->param())) { - $field =~ /(\d+)$/; - my $comment_id = $1; - $is_private{$comment_id} = $cgi->param("isprivate_$comment_id"); + if ($field =~ /(\d+)$/) { + my $comment_id = $1; + $is_private{$comment_id} = $cgi->param("isprivate_$comment_id"); + } } $set_all_fields{comment_is_private} = \%is_private; -- cgit v1.2.1 From 7621e45539668c56a8f7b83a46a05a9e5aca79b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Sch=C3=B6ning?= Date: Wed, 9 Mar 2016 23:22:17 +0100 Subject: Bug 1250908: "Use of uninitialized value" warning thrown when creating a new bug depending or blocking another one r=LpSolit a=dkl --- Bugzilla/BugMail.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Bugzilla/BugMail.pm b/Bugzilla/BugMail.pm index d4a1597ab..110a1ffaf 100644 --- a/Bugzilla/BugMail.pm +++ b/Bugzilla/BugMail.pm @@ -169,8 +169,8 @@ sub Send { } if ($change->{field_name} eq 'dependson' || $change->{field_name} eq 'blocked') { - push @referenced_bug_ids, split(/[\s,]+/, $change->{old}); - push @referenced_bug_ids, split(/[\s,]+/, $change->{new}); + push @referenced_bug_ids, split(/[\s,]+/, $change->{old} // ''); + push @referenced_bug_ids, split(/[\s,]+/, $change->{new} // ''); } } -- cgit v1.2.1 From 1c5ecdf1c8d11dbd47f1361bc11565d1175c81bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Tue, 15 Mar 2016 17:11:52 +0100 Subject: Bug 1253267: Possible DOT injection vulnerability in dependency graphs if long bug summaries are wrapped r/a=dkl --- showdependencygraph.cgi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index 476df1e8e..6d4cb1e71 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -198,6 +198,9 @@ foreach my $k (@bug_ids) { utf8::encode($summary) if utf8::is_utf8($summary); } $summary =~ s/([\\\"])/\\$1/g; + # Newlines must be escaped too, to not break the .map file + # and to prevent code injection. + $summary =~ s/\n/\\n/g; push(@params, qq{label="$k\\n$summary"}); } -- cgit v1.2.1 From 6e0182e55396213869186764abb1620dcbf307f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Sat, 19 Mar 2016 17:33:48 +0100 Subject: Bug 1230932: Providing a condition as an ID to the webservice results in a taint error r/a=dkl --- Bugzilla/WebService/Bug.pm | 4 ++++ Bugzilla/WebService/Constants.pm | 2 ++ Bugzilla/WebService/Util.pm | 12 +++++++++--- template/en/default/global/code-error.html.tmpl | 8 ++++++++ 4 files changed, 23 insertions(+), 3 deletions(-) diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index c99651201..b07d3cb01 100644 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -1133,6 +1133,10 @@ sub update_comment_tags { { function => 'Bug.update_comment_tags', param => 'comment_id' }); + ThrowCodeError('param_integer_required', { function => 'Bug.update_comment_tags', + param => 'comment_id' }) + unless $comment_id =~ /^[0-9]+$/; + my $comment = Bugzilla::Comment->new($comment_id) || return []; $comment->bug->check_is_visible(); diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm index 0bdd3517e..557a996f8 100644 --- a/Bugzilla/WebService/Constants.pm +++ b/Bugzilla/WebService/Constants.pm @@ -67,6 +67,8 @@ use constant WS_ERROR_CODE => { number_too_large => 54, number_too_small => 55, illegal_date => 56, + param_integer_required => 57, + param_scalar_array_required => 58, # Bug errors usually occupy the 100-200 range. improper_bug_id_field_value => 100, bug_id_does_not_exist => 101, diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm index 26a6ebbb0..a879c0e0d 100644 --- a/Bugzilla/WebService/Util.pm +++ b/Bugzilla/WebService/Util.pm @@ -16,6 +16,7 @@ use Bugzilla::FlagType; use Bugzilla::Error; use Storable qw(dclone); +use List::MoreUtils qw(any none); use parent qw(Exporter); @@ -220,14 +221,19 @@ sub validate { # $params should be. return ($self, undef) if (defined $params and !ref $params); + my @id_params = qw(ids comment_ids); # If @keys is not empty then we convert any named # parameters that have scalar values to arrayrefs # that match. foreach my $key (@keys) { if (exists $params->{$key}) { - $params->{$key} = ref $params->{$key} - ? $params->{$key} - : [ $params->{$key} ]; + $params->{$key} = [ $params->{$key} ] unless ref $params->{$key}; + + if (any { $key eq $_ } @id_params) { + my $ids = $params->{$key}; + ThrowCodeError('param_scalar_array_required', { param => $key }) + unless ref($ids) eq 'ARRAY' && none { ref $_ } @$ids; + } } } diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index 63f3ae9d9..830a7e7f6 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -290,6 +290,14 @@ a [% param FILTER html %] argument, and that argument was not set. + [% ELSIF error == "param_integer_required" %] + The function [% function FILTER html %] requires + that [% param FILTER html %] be an integer. + + [% ELSIF error == "param_scalar_array_required" %] + The [% param FILTER html %] parameter must be an array of scalars + (integers and/or strings). + [% ELSIF error == "params_required" %] [% title = "Missing Parameter" %] The function [% function FILTER html %] requires -- cgit v1.2.1 From 6896e0469c6d9fd22252e2959da8bacb5ca99aa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Mon, 21 Mar 2016 23:18:07 +0100 Subject: Bug 1255619: CGI scripts should not send duplicated headers r/a=dkl --- Bugzilla/CGI.pm | 5 +++-- editclassifications.cgi | 2 -- editgroups.cgi | 18 ++++-------------- editkeywords.cgi | 18 ------------------ 4 files changed, 7 insertions(+), 36 deletions(-) diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 0b8a48697..44c089a20 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -66,7 +66,7 @@ sub new { # else we will be redirected outside Bugzilla. my $script_name = $self->script_name; $path_info =~ s/^\Q$script_name\E//; - if ($path_info) { + if ($script_name && $path_info) { print $self->redirect($self->url(-path => 0, -query => 1)); } } @@ -283,7 +283,7 @@ sub close_standby_message { print $self->multipart_end(); print $self->multipart_start(-type => $contenttype); } - else { + elsif (!$self->{_header_done}) { print $self->header($contenttype); } } @@ -356,6 +356,7 @@ sub header { Bugzilla::Hook::process('cgi_headers', { cgi => $self, headers => \%headers } ); + $self->{_header_done} = 1; return $self->SUPER::header(%headers) || ""; } diff --git a/editclassifications.cgi b/editclassifications.cgi index ea4b139da..640b8b8cd 100755 --- a/editclassifications.cgi +++ b/editclassifications.cgi @@ -27,7 +27,6 @@ local our $vars = {}; sub LoadTemplate { my $action = shift; - my $cgi = Bugzilla->cgi; my $template = Bugzilla->template; $vars->{'classifications'} = [Bugzilla::Classification->get_all] @@ -38,7 +37,6 @@ sub LoadTemplate { $action =~ /(\w+)/; $action = $1; - print $cgi->header(); $template->process("admin/classifications/$action.html.tmpl", $vars) || ThrowTemplateError($template->error()); exit; diff --git a/editgroups.cgi b/editgroups.cgi index 35989b954..f2c915556 100755 --- a/editgroups.cgi +++ b/editgroups.cgi @@ -135,8 +135,7 @@ sub get_current_and_available { unless ($action) { my @groups = Bugzilla::Group->get_all; $vars->{'groups'} = \@groups; - - print $cgi->header(); + $template->process("admin/groups/list.html.tmpl", $vars) || ThrowTemplateError($template->error()); exit; @@ -155,12 +154,10 @@ if ($action eq 'changeform') { get_current_and_available($group, $vars); $vars->{'group'} = $group; - $vars->{'token'} = issue_session_token('edit_group'); + $vars->{'token'} = issue_session_token('edit_group'); - print $cgi->header(); $template->process("admin/groups/edit.html.tmpl", $vars) || ThrowTemplateError($template->error()); - exit; } @@ -172,10 +169,9 @@ if ($action eq 'changeform') { if ($action eq 'add') { $vars->{'token'} = issue_session_token('add_group'); - print $cgi->header(); + $template->process("admin/groups/create.html.tmpl", $vars) || ThrowTemplateError($template->error()); - exit; } @@ -204,7 +200,6 @@ if ($action eq 'new') { get_current_and_available($group, $vars); $vars->{'token'} = issue_session_token('edit_group'); - print $cgi->header(); $template->process("admin/groups/edit.html.tmpl", $vars) || ThrowTemplateError($template->error()); exit; @@ -228,10 +223,8 @@ if ($action eq 'del') { $vars->{'group'} = $group; $vars->{'token'} = issue_session_token('delete_group'); - print $cgi->header(); $template->process("admin/groups/delete.html.tmpl", $vars) || ThrowTemplateError($template->error()); - exit; } @@ -255,7 +248,6 @@ if ($action eq 'delete') { $vars->{'message'} = 'group_deleted'; $vars->{'groups'} = [Bugzilla::Group->get_all]; - print $cgi->header(); $template->process("admin/groups/list.html.tmpl", $vars) || ThrowTemplateError($template->error()); exit; @@ -277,7 +269,6 @@ if ($action eq 'postchanges') { $vars->{'changes'} = $changes; $vars->{'token'} = issue_session_token('edit_group'); - print $cgi->header(); $template->process("admin/groups/edit.html.tmpl", $vars) || ThrowTemplateError($template->error()); exit; @@ -288,6 +279,7 @@ if ($action eq 'confirm_remove') { $vars->{'group'} = $group; $vars->{'regexp'} = CheckGroupRegexp($cgi->param('regexp')); $vars->{'token'} = issue_session_token('remove_group_members'); + $template->process('admin/groups/confirm-remove.html.tmpl', $vars) || ThrowTemplateError($template->error()); exit; @@ -326,10 +318,8 @@ if ($action eq 'remove_regexp') { $vars->{'group'} = $group->name; $vars->{'groups'} = [Bugzilla::Group->get_all]; - print $cgi->header(); $template->process("admin/groups/list.html.tmpl", $vars) || ThrowTemplateError($template->error()); - exit; } diff --git a/editkeywords.cgi b/editkeywords.cgi index 41496f362..01f30dbed 100755 --- a/editkeywords.cgi +++ b/editkeywords.cgi @@ -24,10 +24,6 @@ my $dbh = Bugzilla->dbh; my $template = Bugzilla->template; my $vars = {}; -# -# Preliminary checks: -# - my $user = Bugzilla->login(LOGIN_REQUIRED); print $cgi->header(); @@ -47,22 +43,16 @@ $vars->{'action'} = $action; if ($action eq "") { $vars->{'keywords'} = Bugzilla::Keyword->get_all_with_bug_count(); - print $cgi->header(); $template->process("admin/keywords/list.html.tmpl", $vars) || ThrowTemplateError($template->error()); - exit; } - if ($action eq 'add') { $vars->{'token'} = issue_session_token('add_keyword'); - print $cgi->header(); - $template->process("admin/keywords/create.html.tmpl", $vars) || ThrowTemplateError($template->error()); - exit; } @@ -79,8 +69,6 @@ if ($action eq 'new') { delete_token($token); - print $cgi->header(); - $vars->{'message'} = 'keyword_created'; $vars->{'name'} = $keyword->name; $vars->{'keywords'} = Bugzilla::Keyword->get_all_with_bug_count(); @@ -104,7 +92,6 @@ if ($action eq 'edit') { $vars->{'keyword'} = $keyword; $vars->{'token'} = issue_session_token('edit_keyword'); - print $cgi->header(); $template->process("admin/keywords/edit.html.tmpl", $vars) || ThrowTemplateError($template->error()); exit; @@ -128,8 +115,6 @@ if ($action eq 'update') { delete_token($token); - print $cgi->header(); - $vars->{'message'} = 'keyword_updated'; $vars->{'keyword'} = $keyword; $vars->{'changes'} = $changes; @@ -147,7 +132,6 @@ if ($action eq 'del') { $vars->{'keyword'} = $keyword; $vars->{'token'} = issue_session_token('delete_keyword'); - print $cgi->header(); $template->process("admin/keywords/confirm-delete.html.tmpl", $vars) || ThrowTemplateError($template->error()); exit; @@ -162,8 +146,6 @@ if ($action eq 'delete') { delete_token($token); - print $cgi->header(); - $vars->{'message'} = 'keyword_deleted'; $vars->{'keyword'} = $keyword; $vars->{'keywords'} = Bugzilla::Keyword->get_all_with_bug_count(); -- cgit v1.2.1 From 28ec15f1723f6d0c9bcceef8f86aa16a68b5fd93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Sun, 27 Mar 2016 00:31:42 +0100 Subject: Bug 987742 (part 2): correctly detaint $ENV{PATH} on Strawberry Perl --- Bugzilla.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/Bugzilla.pm b/Bugzilla.pm index 9cb15a7ee..e4772e08b 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -96,6 +96,7 @@ sub init_page { my $c_path = $path = dirname($^X); $c_path =~ s/\bperl\b(?=\\bin)/c/; $path .= ";$c_path"; + trick_taint($path); } } # Some environment variables are not taint safe -- cgit v1.2.1 From 89fbc61fe0d163a51d5dab65022bdfdd997157ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Fri, 1 Apr 2016 22:01:20 +0200 Subject: Bug 1200010: The Quick Start doc should stop assuming Bugzilla is your single application r=gerv --- docs/en/rst/installing/quick-start.rst | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/docs/en/rst/installing/quick-start.rst b/docs/en/rst/installing/quick-start.rst index c2da8da23..64a88e55b 100644 --- a/docs/en/rst/installing/quick-start.rst +++ b/docs/en/rst/installing/quick-start.rst @@ -5,8 +5,8 @@ Quick Start (Ubuntu Linux 14.04) This quick start guide makes installing Bugzilla as simple as possible for those who are able to choose their environment. It creates a system using -Ubuntu Linux 14.04 LTS, Apache and MySQL, and installs Bugzilla as the default -home page. It requires a little familiarity with Linux and the command line. +Ubuntu Linux 14.04 LTS, Apache and MySQL. It requires a little familiarity +with Linux and the command line. Obtain Your Hardware ==================== @@ -62,17 +62,13 @@ Download Bugzilla Get it from our Git repository: -:command:`cd /var/www` - -:command:`rm -rf html` +:command:`cd /var/www/html` -:command:`git clone --branch release-X.X-stable https://git.mozilla.org/bugzilla/bugzilla html` +:command:`git clone --branch release-X.X-stable https://git.mozilla.org/bugzilla/bugzilla bugzilla` (where "X.X" is the 2-digit version number of the stable release of Bugzilla -that you want - e.g. 4.4) +that you want - e.g. 5.0) -:command:`cd html` - Configure MySQL =============== @@ -113,7 +109,7 @@ Paste in the following and save: ServerName localhost - + AddHandler cgi-script .cgi Options +ExecCGI DirectoryIndex index.cgi index.html @@ -135,7 +131,7 @@ generates a config file (called :file:`localconfig`) for the database access information, and the second time (step 10) it uses the info you put in the config file to set up the database. -:command:`cd /var/www/html` +:command:`cd /var/www/html/bugzilla` :command:`./checksetup.pl` @@ -164,7 +160,7 @@ Write down the email address and password you set. Test Server =========== -:command:`./testserver.pl http://localhost/` +:command:`./testserver.pl http://localhost/bugzilla` All the tests should pass. You will get warnings about deprecation from the ``Chart::Base`` Perl module; just ignore those. @@ -178,7 +174,7 @@ Access Via Web Browser Access the front page: -:command:`lynx http://localhost/` +:command:`lynx http://localhost/bugzilla` It's not really possible to use Bugzilla for real through Lynx, but you can view the front page to validate visually that it's up and running. @@ -186,8 +182,8 @@ can view the front page to validate visually that it's up and running. You might well need to configure your DNS such that the server has, and is reachable by, a name rather than IP address. Doing so is out of scope of this document. In the mean time, it is available on your local network -at ``http:///``, where ```` is (unless you have -a complex network setup) the "inet addr" value displayed when you run +at ``http:///bugzilla``, where ```` is (unless you +have a complex network setup) the "inet addr" value displayed when you run :command:`ifconfig eth0`. Configure Bugzilla @@ -201,7 +197,7 @@ Click the :guilabel:`Parameters` link on the page it gives you, and set the following parameters in the :guilabel:`Required Settings` section: * :param:`urlbase`: - :paramval:`http:///` or :paramval:`http:///` + :paramval:`http:///bugzilla/` or :paramval:`http:///bugzilla/` Click :guilabel:`Save Changes` at the bottom of the page. -- cgit v1.2.1 From 97a24182d168363860dc153771e0b93f9520036d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Fri, 1 Apr 2016 23:33:04 +0200 Subject: Bug 1260027: Document how to compile the documentation on Windows r=gerv --- .../installing/optional-post-install-config.rst | 42 ++++++++++++++++------ docs/en/rst/installing/windows.rst | 2 +- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/docs/en/rst/installing/optional-post-install-config.rst b/docs/en/rst/installing/optional-post-install-config.rst index 91d5245d1..accc48888 100644 --- a/docs/en/rst/installing/optional-post-install-config.rst +++ b/docs/en/rst/installing/optional-post-install-config.rst @@ -115,7 +115,7 @@ Dependency Graphs ================= Bugzilla can draw graphs of the dependencies (depends on/blocks relationships) -between bugs, if you install a package called :file:`dot`. +between bugs, if you install a package called :file:`graphviz`. Linux ----- @@ -129,8 +129,7 @@ Windows Download and install Graphviz from `the Graphviz website `_. Put the complete path to :file:`dot.exe` in the :param:`webdotbase` parameter, -using forward slashes as path separators. E.g. -:paramval:`C:/Program Files/ATT/Graphviz/bin/dot.exe`. +e.g. :paramval:`C:\\Program Files (x86)\\Graphviz2.38\\bin\\dot.exe`. Documentation ============= @@ -139,16 +138,37 @@ Bugzilla has extensive documentation and help, written in `reStructured Text `_ format. A generic compiled copy exists on `bugzilla.readthedocs.org `_, and -:guilabel:`Help` links point to it by default. If you want to build and use a -local copy of the documentation, perhaps because you have added Bugzilla +:guilabel:`Help` links point to it by default. You can also build and use +a local copy of the documentation, for instance because you have added Bugzilla extensions which come with documentation, or because your users don't have -Internet access from their machines, then: - -* Install `Sphinx `_ - (:file:`python-sphinx` package on Debian/Ubuntu) - -Then run :command:`docs/makedocs.pl` in your Bugzilla directory. +Internet access from their machines. Bugzilla will automatically detect that you've compiled the documentation and link to it in preference to the copy on the Internet. Don't forget to recompile it when you upgrade Bugzilla or install new extensions. + +Linux +----- + +* Install `Sphinx `_. Most Linux distros have it in + a package named :file:`python-sphinx`. + +* Then go to your Bugzilla directory and run: + + :command:`docs/makedocs.pl` + +Windows +------- + +* Download and install `Python `_. + Both Python 2.7 and 3.x will work. Adding :file:`python` to the :param:`PATH` + environment variable, as suggested by the Python installer, will make your + life easier. + +* Install `Sphinx `_. Run :command:`cmd.exe` and type: + + :command:`pip install sphinx` + +* Then go to your :file:`C:\\bugzilla\\docs` directory and run: + + :command:`makedocs.pl` diff --git a/docs/en/rst/installing/windows.rst b/docs/en/rst/installing/windows.rst index ef1a1f6f4..adc1728c6 100644 --- a/docs/en/rst/installing/windows.rst +++ b/docs/en/rst/installing/windows.rst @@ -89,6 +89,7 @@ Install the following mandatory modules with: * JSON-XS * Win32 * Win32-API +* DateTime-TimeZone-Local-Win32 The following modules enable various optional Bugzilla features; try and install them, but don't worry too much to begin with if you can't get them @@ -125,7 +126,6 @@ installed: * IO-stringy * Cache-Memcached * File-Copy-Recursive -* GraphViz If you are using Strawberry Perl, you should use the :file:`install-module.pl` script to install modules, which is the same script used for Linux. Some of -- cgit v1.2.1 From aa5f64e15b5db9ef728032b21a3d85835bec0598 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Tue, 5 Apr 2016 17:22:25 +0200 Subject: Bug 1261124: When deleting a component, this component is listed again r/a=dkl --- Bugzilla/Component.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Bugzilla/Component.pm b/Bugzilla/Component.pm index 9bc0a4493..d5a6ece5d 100644 --- a/Bugzilla/Component.pm +++ b/Bugzilla/Component.pm @@ -148,7 +148,8 @@ sub remove_from_db { $dbh->bz_start_transaction(); # Products must have at least one component. - if (scalar(@{$self->product->components}) == 1) { + my @components = @{ $self->product->components }; + if (scalar(@components) == 1) { ThrowUserError('component_is_last', { comp => $self }); } @@ -165,6 +166,8 @@ sub remove_from_db { ThrowUserError('component_has_bugs', {nb => $self->bug_count}); } } + # Update the list of components in the product object. + $self->product->{components} = [grep { $_->id != $self->id } @components]; $self->SUPER::remove_from_db(); $dbh->bz_commit_transaction(); -- cgit v1.2.1 From 652ee91875d03c2f9f63d004698e58b450e90186 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Wed, 6 Apr 2016 01:54:54 +0200 Subject: Bug 1246228 - Email addresses must not be encoded r/a=dkl --- Bugzilla/MIME.pm | 17 +++-------------- attachment.cgi | 1 + 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/Bugzilla/MIME.pm b/Bugzilla/MIME.pm index 7b5843a78..8c6c141bb 100644 --- a/Bugzilla/MIME.pm +++ b/Bugzilla/MIME.pm @@ -13,9 +13,6 @@ use warnings; use parent qw(Email::MIME); -use Encode qw(encode); -use Encode::MIME::Header; - sub new { my ($class, $msg) = @_; state $use_utf8 = Bugzilla->params->{'utf8'}; @@ -79,20 +76,12 @@ sub as_string { # MIME-Version must be set otherwise some mailsystems ignore the charset $self->header_set('MIME-Version', '1.0') if !$self->header('MIME-Version'); - # Encode the headers correctly in quoted-printable + # Encode the headers correctly. foreach my $header ($self->header_names) { my @values = $self->header($header); - # We don't recode headers that happen multiple times. - next if scalar(@values) > 1; - if (my $value = $values[0]) { - utf8::decode($value) unless $use_utf8 && utf8::is_utf8($value); - - # avoid excessive line wrapping done by Encode. - local $Encode::Encoding{'MIME-Q'}->{'bpl'} = 998; + map { utf8::decode($_) if defined($_) && !utf8::is_utf8($_) } @values; - my $encoded = encode('MIME-Q', $value); - $self->header_set($header, $encoded); - } + $self->header_str_set($header, @values); } # Ensure the character-set and encoding is set correctly on single part diff --git a/attachment.cgi b/attachment.cgi index 5db8f5909..40b0c9d3a 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -26,6 +26,7 @@ use Bugzilla::Attachment::PatchReader; use Bugzilla::Token; use Encode qw(encode find_encoding); +use Encode::MIME::Header; # Required to alter Encode::Encoding{'MIME-Q'}. # For most scripts we don't make $cgi and $template global variables. But # when preparing Bugzilla for mod_perl, this script used these -- cgit v1.2.1 From 9ad3cf5bfc73bd34b0ce309e45d9703691376748 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Sat, 9 Apr 2016 01:33:30 +0200 Subject: Bug 1204957 - Locally compiled POD documentation is no longer accessible from docs/en/html/api/ r=dkl --- docs/en/rst/api/index.rst | 3 ++- docs/en/rst/conf.py | 11 ++++++++++- docs/en/rst/integrating/apis.rst | 13 +++++++++---- docs/makedocs.pl | 10 ++++------ 4 files changed, 25 insertions(+), 12 deletions(-) diff --git a/docs/en/rst/api/index.rst b/docs/en/rst/api/index.rst index 45055eba1..840bcadd1 100644 --- a/docs/en/rst/api/index.rst +++ b/docs/en/rst/api/index.rst @@ -4,7 +4,8 @@ WebService API Reference ======================== This Bugzilla installation has the following WebService APIs available -(as of the last time you compiled the documentation): +(as of the last time you compiled the documentation). Documentation for +the deprecated :ref:`XML-RPC and JSON-RPC APIs ` is also available. .. toctree:: :glob: diff --git a/docs/en/rst/conf.py b/docs/en/rst/conf.py index 3330ca76d..87109da84 100644 --- a/docs/en/rst/conf.py +++ b/docs/en/rst/conf.py @@ -383,4 +383,13 @@ pdf_fit_background_mode = 'scale' # Temporary highlighting of TODO items todo_include_todos = False -extlinks = {'bug': ('https://bugzilla.mozilla.org/show_bug.cgi?id=%s', 'bug ')} +# The readthedocs.org website cannot access POD. +on_rtd = os.environ.get('READTHEDOCS', None) == 'True' + +if on_rtd: + base_api_url = 'https://www.bugzilla.org/docs/tip/en/html/api/' +else: + base_api_url = '../integrating/api/' + +extlinks = {'bug': ('https://bugzilla.mozilla.org/show_bug.cgi?id=%s', 'bug '), + 'api': (base_api_url + '%s', '')} diff --git a/docs/en/rst/integrating/apis.rst b/docs/en/rst/integrating/apis.rst index 6067c12df..54ee3273a 100644 --- a/docs/en/rst/integrating/apis.rst +++ b/docs/en/rst/integrating/apis.rst @@ -12,6 +12,13 @@ coming soon. The APIs currently available are as follows: +Core Module API +=============== + +Most of the core Bugzilla modules have extensive documentation inside the modules +themselves. You can view the :api:`POD documentation ` to help with +using the core modules in your extensions. + Ad-Hoc APIs =========== @@ -23,8 +30,7 @@ to alternate data formats where they are available. XML-RPC ======= -Bugzilla has an `XML-RPC API -`_. +Bugzilla has an :api:`XML-RPC API `. This will receive no further updates and will be removed in a future version of Bugzilla. @@ -33,8 +39,7 @@ Endpoint: :file:`/xmlrpc.cgi` JSON-RPC ======== -Bugzilla has a `JSON-RPC API -`_. +Bugzilla has a :api:`JSON-RPC API `. This will receive no further updates and will be removed in a future version of Bugzilla. diff --git a/docs/makedocs.pl b/docs/makedocs.pl index 6f353dc6d..36ffc45b5 100755 --- a/docs/makedocs.pl +++ b/docs/makedocs.pl @@ -35,7 +35,7 @@ use lib qw(.. ../lib lib); use Cwd; use File::Copy::Recursive qw(rcopy); use File::Find; -use File::Path qw(rmtree); +use File::Path qw(rmtree make_path); use File::Which qw(which); use Pod::Simple; @@ -52,7 +52,6 @@ sub MakeDocs { my ($name, $cmdline) = @_; say "Creating $name documentation ..." if defined $name; - say "make $cmdline\n"; system('make', $cmdline) == 0 or $error_found = 1; print "\n"; @@ -83,12 +82,11 @@ END_HTML $converter->contents_page_start($contents_start); $converter->contents_page_end(""); - $converter->add_css('./../../../style.css'); + $converter->add_css('./../../../../style.css'); $converter->javascript_flurry(0); $converter->css_flurry(0); - mkdir("html"); - mkdir("html/api"); - $converter->batch_convert(['../../'], 'html/api/'); + make_path('html/integrating/api'); + $converter->batch_convert(['../../'], 'html/integrating/api'); print "\n"; } -- cgit v1.2.1 From 1317a1b6e6e4c87aaea84abd44ad332c18c0df0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Sat, 9 Apr 2016 18:06:21 +0200 Subject: Fix an incorrect URL in the documentation --- docs/en/rst/conf.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/rst/conf.py b/docs/en/rst/conf.py index 87109da84..a758fd248 100644 --- a/docs/en/rst/conf.py +++ b/docs/en/rst/conf.py @@ -387,7 +387,7 @@ todo_include_todos = False on_rtd = os.environ.get('READTHEDOCS', None) == 'True' if on_rtd: - base_api_url = 'https://www.bugzilla.org/docs/tip/en/html/api/' + base_api_url = 'https://www.bugzilla.org/docs/5.0/en/html/api/' else: base_api_url = '../integrating/api/' -- cgit v1.2.1 From 7b39cc65c1569f0c6d60432bbf9ff63440696c39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Sun, 10 Apr 2016 02:12:18 +0200 Subject: Email::MIME::Attachment::Stripper is no longer used, see bug 437076 --- docs/en/rst/installing/linux.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/en/rst/installing/linux.rst b/docs/en/rst/installing/linux.rst index ff4258e6a..22d0bf735 100644 --- a/docs/en/rst/installing/linux.rst +++ b/docs/en/rst/installing/linux.rst @@ -48,8 +48,7 @@ graphviz patchutils gcc 'perl(Apache2::SizeLimit)' 'perl(Authen::Radius)' 'perl(Authen::SASL)' 'perl(Cache::Memcached)' 'perl(CGI)' 'perl(Chart::Lines)' 'perl(Daemon::Generic)' 'perl(Date::Format)' 'perl(DateTime)' 'perl(DateTime::TimeZone)' 'perl(DBI)' 'perl(Digest::SHA)' 'perl(Email::MIME)' -'perl(Email::MIME::Attachment::Stripper)' 'perl(Email::Reply)' -'perl(Email::Sender)' 'perl(Encode)' 'perl(Encode::Detect)' +'perl(Email::Reply)' 'perl(Email::Sender)' 'perl(Encode)' 'perl(Encode::Detect)' 'perl(File::MimeInfo::Magic)' 'perl(File::Slurp)' 'perl(GD)' 'perl(GD::Graph)' 'perl(GD::Text)' 'perl(HTML::FormatText::WithLinks)' 'perl(HTML::Parser)' 'perl(HTML::Scrubber)' 'perl(IO::Scalar)' 'perl(JSON::RPC)' 'perl(JSON::XS)' -- cgit v1.2.1 From a868b88d147f14c2135beb53b82babbc4c46635f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Fri, 15 Apr 2016 21:30:36 +0200 Subject: Bug 1232171 - 'make clean' shouldn't delete rst/, images/ and Makefile, only generated files r=gerv --- docs/en/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/Makefile b/docs/en/Makefile index fc9af11e0..8c3621f31 100644 --- a/docs/en/Makefile +++ b/docs/en/Makefile @@ -39,7 +39,7 @@ help: @echo " doctest to run all doctests embedded in the documentation (if enabled)" clean: - -rm -rf $(BUILDDIR)/* + find $(BUILDDIR) -maxdepth 1 -type d -not -name rst -not -name images -not -name . -exec rm -rf {} \; html: $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html -- cgit v1.2.1 From ea0c5024c1701f6dfdc77c9161d9c0ff2f6c4bde Mon Sep 17 00:00:00 2001 From: Albert Ting Date: Wed, 20 Apr 2016 01:50:44 +0000 Subject: Bug 542239 - Accept pronouns everywhere in query.cgi r=dkl,a=dkl --- Bugzilla/Search.pm | 3 ++- template/en/default/search/form.html.tmpl | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 0785a7e67..646f949f5 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -1628,7 +1628,8 @@ sub _special_parse_email { my $email = trim($params->{"email$id"}); next if !$email; my $type = $params->{"emailtype$id"} || 'anyexact'; - $type = "anyexact" if $type eq "exact"; + # for backward compatibility + $type = "equals" if $type eq "exact"; my $or_clause = new Bugzilla::Search::Clause('OR'); foreach my $field (qw(assigned_to reporter cc qa_contact)) { diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl index 0420811ee..ac8aeaf61 100644 --- a/template/en/default/search/form.html.tmpl +++ b/template/en/default/search/form.html.tmpl @@ -247,7 +247,7 @@ TUI_hide_default('information_query'); [% FOREACH qv = [ { name => "substring", description => "contains" }, { name => "notsubstring", description => "doesn't contain" }, - { name => "exact", description => "is" }, + { name => "equals", description => "is" }, { name => "notequals", description => "is not" }, { name => "regexp", description => "matches regexp" }, { name => "notregexp", description => "doesn't match regexp" } ] %] -- cgit v1.2.1 From 8b0d558c0a41a25eb4b8047fb20d760cb2dc22dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Mon, 25 Apr 2016 23:39:02 +0200 Subject: Bug 1259881 - CSV export vulnerable to formulae injection (again) r=sgreen a=dkl --- Bugzilla/Template.pm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 8104f6f1f..41b9265c6 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -865,12 +865,13 @@ sub create { }, # In CSV, quotes are doubled, and any value containing a quote or a - # comma is enclosed in quotes. If a field starts with an equals - # sign, it is proceed by a space. + # comma is enclosed in quotes. + # If a field starts with either "=", "+", "-" or "@", it is preceded + # by a space to prevent stupid formula execution from Excel & co. csv => sub { my ($var) = @_; - $var = ' ' . $var if substr($var, 0, 1) eq '='; + $var = ' ' . $var if $var =~ /^[+=@-]/; # backslash is not special to CSV, but it can be used to confuse some browsers... # so we do not allow it to happen. We only do this for logged-in users. $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id; -- cgit v1.2.1 From 6c705e8c42e723e39037037ddd4617b072143eb5 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Mon, 2 May 2016 10:30:07 -0400 Subject: Add build.platform = linux64, machine.platform = linux64 to taskgraph.json to remove b2gtest from Treeherder results --- taskgraph.json | 48 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/taskgraph.json b/taskgraph.json index 24476c83d..7433db6f2 100644 --- a/taskgraph.json +++ b/taskgraph.json @@ -32,7 +32,13 @@ }, "extra": { "treeherder": { - "symbol": "San" + "symbol": "San", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } } } } @@ -63,7 +69,13 @@ }, "extra": { "treeherder": { - "symbol": "Doc" + "symbol": "Doc", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } } } } @@ -99,7 +111,13 @@ }, "extra": { "treeherder": { - "symbol": "API" + "symbol": "API", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } } } } @@ -140,7 +158,13 @@ }, "extra": { "treeherder": { - "symbol": "Sel" + "symbol": "Sel", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } } } } @@ -176,7 +200,13 @@ }, "extra": { "treeherder": { - "symbol": "API-Pg" + "symbol": "API-Pg", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } } } } @@ -217,7 +247,13 @@ }, "extra": { "treeherder": { - "symbol": "Sel-Pg" + "symbol": "Sel-Pg", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } } } } -- cgit v1.2.1 From a59f1e99c2285b2802a3da45658095b121d0f5cb Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Fri, 13 May 2016 13:34:19 -0400 Subject: Bug 1250114 - XSS possible in extensions calling global/tabs.html.tmpl if tab.link is user-controlled --- template/en/default/global/tabs.html.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/en/default/global/tabs.html.tmpl b/template/en/default/global/tabs.html.tmpl index 9cf5a897b..511640477 100644 --- a/template/en/default/global/tabs.html.tmpl +++ b/template/en/default/global/tabs.html.tmpl @@ -25,7 +25,7 @@ [% tab.label FILTER html %] [% ELSE %] + onClick="document.location='[% tab.link FILTER js FILTER html %]'"> [% tab.label FILTER html %] [% END %] -- cgit v1.2.1 From 16dd96bdfdadea63e182f0954f06c187cb83e75b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Fri, 13 May 2016 20:37:08 +0200 Subject: Bug 1269388 - Release notes for Bugzilla 5.0.3 r=dkl --- template/en/default/pages/release-notes.html.tmpl | 34 +++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index 5bd1608d9..358298bc8 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -43,6 +43,40 @@

Updates in this 5.0.x Release

+

5.0.3

+ +

This release fixes one security issue. See the + Security Advisory + for details.

+ +

This release also contains the following [% terms.bug %] fixes:

+ +
    +
  • A regression in Bugzilla 5.0.2 caused whine.pl to be unable + to send emails due to a missing subroutine. + ([% terms.Bug %] 1235395)
    • +
  • The Encode module changed the way it encodes strings, causing + email addresses in emails sent by [%terms.Bugzilla %] to be encoded, + preventing emails from being correctly delivered to recipients. + We now encode email headers correctly. + ([% terms.Bug %] 1246228)
    • +
  • Fix additional taint issues with Strawberry Perl. + ([% terms.Bug %] 987742 and + [% terms.bug %] 1089448)
    • +
  • When exporting a buglist as a CSV file, fields starting with either + "=", "+", "-" or "@" are preceded by a space to not trigger formula + execution in Excel. + ([% terms.Bug %] 1259881)
    • +
  • An extension which allows user-controlled data to be used as a link in + tabs could trigger XSS if the data is not correctly sanitized. + [%+ terms. Bugzilla %] no longer relies on the extension to do the sanity + check. A vanilla installation is not affected as no tab is user-controlled. + ([% terms.Bug %] 1250114)
    • +
  • Extensions can now easily override the favicon used for the + [%+ terms.Bugzilla %] website. + ([% terms.Bug %] 1250264)
    • +
+

5.0.2

This release fixes two security issues. See the -- cgit v1.2.1