We have three new major Review Board releases for you today. Each of these have a mixture of bug fixes and feature additions for users, administrators, and extension authors alike. However, they also have security fixes for a vulnerability we discovered with private review requests.
Security Fixes
We discovered a vulnerability where a user with access to a review request can craft URLs to view file attachments, legacy screenshots, or metadata on review request updates for review requests that are private (those using invite-only review groups, private repositories, or Local Site server partitioning). This either requires knowledge if the specific database IDs from those review requests, or requires brute-forcing a range of IDs to scan for content.
If you don't use private review requests on your server, you have nothing to worry about, but we still recommend updating anyway.
Also, while not a vulnerability, it's important to note that if you're an extension author writing JavaScript-side extensions, any extension settings are provided client-side to your JavaScript code. We recently learned of a case where this caused some problems, so we've given extension authors more control here. More on that below.
If you run a public Review Board server, and want to be on a pre-notification list for security vulnerabilities, please contact us.
New Additions and Fixes
We've put some small feature additions into 2.0.22 and 2.5.3:
- Extension authors writing JavaScript-side code can now control what settings data is passed to the client by overriding
JSExtension.get_settings. By default, this returns all the extension's settings, but you can return whatever you like here. - We've improved error feedback when things go wrong while posting a diff using
rbt post. - Mobile styles have had some tweaks for better display on certain pages.
- You can now use memcached servers listening over UNIX sockets.
And some bug fixes:
- "Are you sure want to leave the page?" confirmations should no longer appear on Firefox if you haven't actually changed anything.
- Legacy screenshots from older releases should now display just fine on 2.5.3.
- Webhooks containing diff payloads aren't so broken on 2.5.3.
There's more, and we also have some backported bug fixes and feature changes for 1.7.29. (This will likely be the last 1.7.x release.)
See the release notes for more information: