Today's releases of Review Board 3.0.24 and 4.0.2 fix a handful of bugs and one security issue, and introduces support for defining safe URL protocols for Markdown text.
Security Fix for Markdown Review UI
Attackers could post a Markdown document for review that contained bad links that, when clicked, could invoke JavaScript code. We fixed a similar issue in 3.0.21, but this is specific to the Markdown Review UI.
Though this is a pretty small attack vector, we do strongly recommend that everyone upgrades as a precaution.
Custom URL Protocols
Administrators can now set a list of URL protocols (like eclipse://. ftp://, gopher://, etc.) they consider safe for their environment by modifying conf/settings_local.py: These will then be preserved when building links. For example:
ALLOWED_MARKDOWN_URL_PROTOCOLS = ['eclipse', 'ftp', 'gopher']
Bug Fixes
There are also fixes for:
- Marking session and CSRF cookies as secure
- Handling Subversion diffs with
(nonexistent)revisions - Markdown rendering of e-mail addresses
- Connecting to GitLab (in Review Board 4.0.2)
See the 3.0.24 release notes and 4.0.2 release notes for the full lists of changes.
Note: If you're upgrading to 3.0.24, please follow the installation instructions in the release notes so you don't end up on 4.0.2.