• Get Review Board
  • What's New
  • Products
  • Review Board Code review, image review, and document review
  • Documentation
  • Release Notes
  • Power Pack Enterprise integrations, reports, and enhanced document review
  • Try for 60 Days
  • Purchase
  • RBCommons Review Board as a Service, hosted by us
  • Pricing
  • RBTools Command line tools and Python API for Review Board
  • Documentation
  • Release Notes
  • Review Bot Automated code review, connecting tools you already use
  • Documentation
  • Release Notes
  • RB Gateway Manage Git and Mercurial repositories in your network
  • Documentation
  • Release Notes
  • Learn and Explore
  • What is Code Review?
  • Documentation
  • Frequently Asked Questions
  • Support Options
  • Third-Party Integrations
  • Demo

    • New Review Board 2.0.31 and 2.5.16 security releases

    September 12, 2017

    We have two new security releases for you today, both fixing security issues reported to us by security researcher Dylan Ayrey. There's also a few bug fixes for GitLab and Subversion, and some improvements for the Administration UI's Security Checklist.

    Security Fixes

    Dylan reported two vulnerabilities that could be used to execute JavaScript code on a user's behalf:

    1. If a text field contains a plain-text javascript: URL, it would be turned into a link that, when clicked, would execute JavaScript on the user's behalf. These links would be pretty long and were easily identifiable, making it less likely that users would be tricked into clicking them (and could not be masked using Markdown links). We've altered the linking behavior to only link certain known types of safe URLs.

    2. When clicking Download on a file attachment, the browser may choose to render certain file types in the browser. This includes SVG files, which can include JavaScript. If the media files are served up on the same domain used for Review Board (which is the default behavior), as opposed to a CDN or dedicated domain, then users could be at risk when downloading SVG files.

      We now generate Apache configuration files that add a Content-Disposition: attachment header to all media files, forcing them to download. If you're not using a standard Apache setup, you may need to modify your configuration to add this header.

      You can visit the Security Checklist to make sure this header is being set.

    GitLab and Subversion Fixes

    Review Board 2.0.31 and 2.5.16 include fixes for working with changes on GitLab. Both fix issues viewing diffs against files containing Unicode characters, and 2.5.16 includes a fix for creating/modifying repositories for self-hosted GitLab servers.

    2.5.16 also includes a fix for the New Review Request page when there are problems talking to Subversion repositories. Errors are now reported, instead of the page reporting a generic "Internal Server Error."

    See the 2.0.31 and 2.5.16 release notes for more information on these releases, along with upgrade instructions.

    Keep up with the latest Review Board releases, security updates, and helpful information.

    About
    News
    Demo
    RBCommons Hosting
    Integrations
    Happy Users
    Support Options
    Documentation
    FAQ
    User Manual
    RBTools
    Administration Guide
    Power Pack
    Release Notes
    Downloads
    Review Board
    RBTools
    Djblets
    Power Pack
    Package Store
    PGP Signatures
    Contributing
    Bug Tracker
    Submit Patches
    Development Setup
    Wiki
    Follow Us
    Mailing Lists
    Reddit
    Twitter
    Mastodon
    Facebook
    YouTube

    Copyright © 2006-2024 Beanbag, Inc. All rights reserved.

    Terms of Service — Privacy Policy — AI Ethics Policy — Branding