FreeBSD Bugzilla – Attachment 193308 Details for
Bug 228182
Upgrade Bugzilla to 5.0.4
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
5.0.4.diff
5.0.4.diff (text/plain), 30.47 KB, created by
Oleksandr Tymoshenko
on 2018-05-12 00:04:59 UTC
(
hide
)
Description:
5.0.4.diff
Filename:
MIME Type:
Creator:
Oleksandr Tymoshenko
Created:
2018-05-12 00:04:59 UTC
Size:
30.47 KB
patch
obsolete
>diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm >index 44c089a2..9b1ff923 100644 >--- a/Bugzilla/CGI.pm >+++ b/Bugzilla/CGI.pm >@@ -288,6 +288,69 @@ sub close_standby_message { > } > } > >+our $ALLOW_UNSAFE_RESPONSE = 0; >+# responding to text/plain or text/html is safe >+# responding to any request with a referer header is safe >+# some things need to have unsafe responses (attachment.cgi) >+# everything else should get a 403. >+sub _prevent_unsafe_response { >+ my ($self, $headers) = @_; >+ my $safe_content_type_re = qr{ >+ ^ (*COMMIT) # COMMIT makes the regex faster >+ # by preventing back-tracking. see also perldoc pelre. >+ # application/x-javascript, xml, atom+xml, rdf+xml, xml-dtd, and json >+ (?: application/ (?: x(?: -javascript | ml (?: -dtd )? ) >+ | (?: atom | rdf) \+ xml >+ | json ) >+ # text/csv, text/calendar, text/plain, and text/html >+ | text/ (?: c (?: alendar | sv ) >+ | plain >+ | html ) >+ # used for HTTP push responses >+ | multipart/x-mixed-replace) >+ }sx; >+ my $safe_referer_re = do { >+ # Note that urlbase must end with a /. >+ # It almost certainly does, but let's be extra careful. >+ my $urlbase = correct_urlbase(); >+ $urlbase =~ s{/$}{}; >+ qr{ >+ # Begins with literal urlbase >+ ^ (*COMMIT) >+ \Q$urlbase\E >+ # followed by a slash or end of string >+ (?: / >+ | $ ) >+ }sx >+ }; >+ >+ return if $ALLOW_UNSAFE_RESPONSE; >+ >+ if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) { >+ # Safe content types are ones that arn't images. >+ # For now let's assume plain text and html are not valid images. >+ my $content_type = $headers->{'-type'} // $headers->{'-content_type'} // 'text/html'; >+ my $is_safe_content_type = $content_type =~ $safe_content_type_re; >+ >+ # Safe referers are ones that begin with the urlbase. >+ my $referer = $self->referer; >+ my $is_safe_referer = $referer && $referer =~ $safe_referer_re; >+ >+ if (!$is_safe_referer && !$is_safe_content_type) { >+ print $self->SUPER::header(-type => 'text/html', -status => '403 Forbidden'); >+ if ($content_type ne 'text/html') { >+ print "Untrusted Referer Header\n"; >+ if ($ENV{MOD_PERL}) { >+ my $r = $self->r; >+ $r->rflush; >+ $r->status(200); >+ } >+ } >+ exit; >+ } >+ } >+} >+ > # Override header so we can add the cookies in > sub header { > my $self = shift; >@@ -302,6 +365,7 @@ sub header { > else { > %headers = @_; > } >+ $self->_prevent_unsafe_response(\%headers); > > if ($self->{'_content_disp'}) { > $headers{'-content_disposition'} = $self->{'_content_disp'}; >diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm >index 1c02d9dd..45861670 100644 >--- a/Bugzilla/Config.pm >+++ b/Bugzilla/Config.pm >@@ -16,10 +16,9 @@ use autodie qw(:default); > > use Bugzilla::Constants; > use Bugzilla::Hook; >-use Bugzilla::Util qw(trick_taint); >+use Bugzilla::Util qw(trick_taint read_text write_text); > > use JSON::XS; >-use File::Slurp; > use File::Temp; > use File::Basename; > >@@ -284,7 +283,7 @@ sub write_params { > my $param_file = bz_locations()->{'datadir'} . '/params.json'; > > my $json_data = JSON::XS->new->canonical->pretty->encode($param_data); >- write_file($param_file, { binmode => ':utf8', atomic => 1 }, \$json_data); >+ write_text($param_file, $json_data); > > # It's not common to edit parameters and loading > # Bugzilla::Install::Filesystem is slow. >@@ -301,8 +300,8 @@ sub read_param_file { > my $file = bz_locations()->{'datadir'} . '/params.json'; > > if (-e $file) { >- my $data; >- read_file($file, binmode => ':utf8', buf_ref => \$data); >+ my $data = read_text($file); >+ trick_taint($data); > > # If params.json has been manually edited and e.g. some quotes are > # missing, we don't want JSON::XS to leak the content of the file >diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm >index 8b2eeac2..b4d22f8b 100644 >--- a/Bugzilla/Constants.pm >+++ b/Bugzilla/Constants.pm >@@ -200,7 +200,7 @@ use Memoize; > # CONSTANTS > # > # Bugzilla version >-use constant BUGZILLA_VERSION => "5.0.3"; >+use constant BUGZILLA_VERSION => "5.0.4"; > > # A base link to the current REST Documentation. We place it here > # as it will need to be updated to whatever the current release is. >diff --git a/Bugzilla/DB/Sqlite.pm b/Bugzilla/DB/Sqlite.pm >index ddafc169..a56ed31a 100644 >--- a/Bugzilla/DB/Sqlite.pm >+++ b/Bugzilla/DB/Sqlite.pm >@@ -219,6 +219,7 @@ sub sql_date_format { > my ($self, $date, $format) = @_; > $format = "%Y.%m.%d %H:%M:%S" if !$format; > $format =~ s/\%i/\%M/g; >+ $format =~ s/\%s/\%S/g; > return "STRFTIME(" . $self->quote($format) . ", $date)"; > } > >diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm >index 4f133d86..d30ae18d 100644 >--- a/Bugzilla/Install/Filesystem.pm >+++ b/Bugzilla/Install/Filesystem.pm >@@ -31,7 +31,6 @@ use File::Path; > use File::Basename; > use File::Copy qw(move); > use File::Spec; >-use File::Slurp; > use IO::File; > use POSIX (); > >@@ -536,7 +535,7 @@ sub update_filesystem { > > # Remove old assets htaccess file to force recreation with correct values. > if (-e "$assetsdir/.htaccess") { >- if (read_file("$assetsdir/.htaccess") =~ /<FilesMatch \\\.css\$>/) { >+ if (read_text("$assetsdir/.htaccess") =~ /<FilesMatch \\\.css\$>/) { > unlink("$assetsdir/.htaccess"); > } > } >@@ -782,22 +781,21 @@ sub _update_old_charts { > # to product IDs. > sub _update_old_mining_filenames { > my ($miningdir) = @_; >+ my $dbh = Bugzilla->dbh; > my @conversion_errors; > >- require Bugzilla::Product; >- > # We use a dummy product instance with ID 0, representing all products > my $product_all = {id => 0, name => '-All-'}; >- bless($product_all, 'Bugzilla::Product'); > > print "Updating old charting data file names..."; >- my @products = Bugzilla::Product->get_all(); >+ my @products = @{ $dbh->selectall_arrayref('SELECT id, name FROM products >+ ORDER BY name', {Slice=>{}}) }; > push(@products, $product_all); > foreach my $product (@products) { >- if (-e File::Spec->catfile($miningdir, $product->id)) { >+ if (-e File::Spec->catfile($miningdir, $product->{id})) { > push(@conversion_errors, > { product => $product, >- message => 'A file named "' . $product->id . >+ message => 'A file named "' . $product->{id} . > '" already exists.' }); > } > } >@@ -805,8 +803,8 @@ sub _update_old_mining_filenames { > if (! @conversion_errors) { > # Renaming mining files should work now without a hitch. > foreach my $product (@products) { >- if (! rename(File::Spec->catfile($miningdir, $product->name), >- File::Spec->catfile($miningdir, $product->id))) { >+ if (! rename(File::Spec->catfile($miningdir, $product->{name}), >+ File::Spec->catfile($miningdir, $product->{id}))) { > push(@conversion_errors, > { product => $product, > message => $! }); >@@ -822,7 +820,7 @@ sub _update_old_mining_filenames { > print " FAILED:\n"; > foreach my $error (@conversion_errors) { > printf "Cannot rename charting data file for product %d (%s): %s\n", >- $error->{product}->id, $error->{product}->name, >+ $error->{product}->{id}, $error->{product}->{name}, > $error->{message}; > } > print "You need to empty the \"$miningdir\" directory, then run\n", >diff --git a/Bugzilla/Install/Requirements.pm b/Bugzilla/Install/Requirements.pm >index a688a0ff..61496d84 100644 >--- a/Bugzilla/Install/Requirements.pm >+++ b/Bugzilla/Install/Requirements.pm >@@ -155,11 +155,6 @@ sub REQUIRED_MODULES { > module => 'Math::Random::ISAAC', > version => '1.0.1', > }, >- { >- package => 'File-Slurp', >- module => 'File::Slurp', >- version => '9999.13', >- }, > { > package => 'JSON-XS', > module => 'JSON::XS', >diff --git a/Bugzilla/JobQueue.pm b/Bugzilla/JobQueue.pm >index d5ceda8e..6ff85d84 100644 >--- a/Bugzilla/JobQueue.pm >+++ b/Bugzilla/JobQueue.pm >@@ -14,8 +14,8 @@ use warnings; > use Bugzilla::Constants; > use Bugzilla::Error; > use Bugzilla::Install::Util qw(install_string); >+use Bugzilla::Util qw(read_text); > use File::Basename; >-use File::Slurp; > use base qw(TheSchwartz); > use fields qw(_worker_pidfile); > >@@ -124,7 +124,7 @@ sub subprocess_worker { > # And poll the PID to detect when the working has finished. > # We do this instead of system() to allow for the INT signal to > # interrup us and trigger kill_worker(). >- my $pid = read_file($self->{_worker_pidfile}, err_mode => 'quiet'); >+ my $pid = read_text($self->{_worker_pidfile}, err_mode => 'quiet'); > if ($pid) { > sleep(3) while(kill(0, $pid)); > } >@@ -139,7 +139,7 @@ sub subprocess_worker { > sub kill_worker { > my $self = Bugzilla->job_queue(); > if ($self->{_worker_pidfile} && -e $self->{_worker_pidfile}) { >- my $worker_pid = read_file($self->{_worker_pidfile}); >+ my $worker_pid = read_text($self->{_worker_pidfile}); > if ($worker_pid && kill(0, $worker_pid)) { > $self->debug("Stopping worker process"); > system "$0 -f -p '" . $self->{_worker_pidfile} . "' stop"; >diff --git a/Bugzilla/Migrate.pm b/Bugzilla/Migrate.pm >index 0731d4fe..7865c842 100644 >--- a/Bugzilla/Migrate.pm >+++ b/Bugzilla/Migrate.pm >@@ -403,7 +403,7 @@ sub parse_date { > } > my $tz; > if ($time[6]) { >- $tz = Bugzilla->local_timezone->offset_as_string($time[6]); >+ $tz = DateTime::TimeZone->offset_as_string($time[6]); > } > else { > $tz = $self->config('timezone'); >diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm >index 41b9265c..decffe1e 100644 >--- a/Bugzilla/Template.pm >+++ b/Bugzilla/Template.pm >@@ -32,7 +32,6 @@ use Digest::MD5 qw(md5_hex); > use File::Basename qw(basename dirname); > use File::Find; > use File::Path qw(rmtree mkpath); >-use File::Slurp; > use File::Spec; > use IO::Dir; > use List::MoreUtils qw(firstidx); >@@ -502,7 +501,7 @@ sub _concatenate_css { > next unless -e "$cgi_path/$files{$source}"; > my $file = $skins_path . '/' . md5_hex($source) . '.css'; > if (!-e $file) { >- my $content = read_file("$cgi_path/$files{$source}"); >+ my $content = read_text("$cgi_path/$files{$source}"); > > # minify > $content =~ s{/\*.*?\*/}{}sg; # comments >@@ -512,7 +511,7 @@ sub _concatenate_css { > # rewrite urls > $content =~ s{url\(([^\)]+)\)}{_css_url_rewrite($source, $1)}eig; > >- write_file($file, "/* $files{$source} */\n" . $content . "\n"); >+ write_text($file, "/* $files{$source} */\n" . $content . "\n"); > } > push @minified, $file; > } >@@ -522,9 +521,9 @@ sub _concatenate_css { > if (!-e $file) { > my $content = ''; > foreach my $source (@minified) { >- $content .= read_file($source); >+ $content .= read_text($source); > } >- write_file($file, $content); >+ write_text($file, $content); > } > > $file =~ s/^\Q$cgi_path\E\///o; >@@ -563,7 +562,7 @@ sub _concatenate_js { > next unless -e "$cgi_path/$files{$source}"; > my $file = $skins_path . '/' . md5_hex($source) . '.js'; > if (!-e $file) { >- my $content = read_file("$cgi_path/$files{$source}"); >+ my $content = read_text("$cgi_path/$files{$source}"); > > # minimal minification > $content =~ s#/\*.*?\*/##sg; # block comments >@@ -572,7 +571,7 @@ sub _concatenate_js { > $content =~ s#\n{2,}#\n#g; # blank lines > $content =~ s#(^\s+|\s+$)##g; # whitespace at the start/end of file > >- write_file($file, ";/* $files{$source} */\n" . $content . "\n"); >+ write_text($file, ";/* $files{$source} */\n" . $content . "\n"); > } > push @minified, $file; > } >@@ -582,9 +581,9 @@ sub _concatenate_js { > if (!-e $file) { > my $content = ''; > foreach my $source (@minified) { >- $content .= read_file($source); >+ $content .= read_text($source); > } >- write_file($file, $content); >+ write_text($file, $content); > } > > $file =~ s/^\Q$cgi_path\E\///o; >diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm >index bbf4261c..57ce5f6b 100644 >--- a/Bugzilla/Util.pm >+++ b/Bugzilla/Util.pm >@@ -24,7 +24,7 @@ use parent qw(Exporter); > validate_email_syntax check_email_syntax clean_text > get_text template_var display_value disable_utf8 > detect_encoding email_filter >- join_activity_entries); >+ join_activity_entries read_text write_text); > > use Bugzilla::Constants; > use Bugzilla::RNG qw(irand); >@@ -39,6 +39,8 @@ use Scalar::Util qw(tainted blessed); > use Text::Wrap; > use Encode qw(encode decode resolve_alias); > use Encode::Guess; >+use File::Basename qw(dirname); >+use File::Temp qw(tempfile); > > sub trick_taint { > require Carp; >@@ -106,6 +108,29 @@ sub html_quote { > return $var; > } > >+sub read_text { >+ my ($filename) = @_; >+ open my $fh, '<:encoding(utf-8)', $filename; >+ local $/ = undef; >+ my $content = <$fh>; >+ close $fh; >+ return $content; >+} >+ >+sub write_text { >+ my ($filename, $content) = @_; >+ my ($tmp_fh, $tmp_filename) = tempfile('.tmp.XXXXXXXXXX', >+ DIR => dirname($filename), >+ UNLINK => 0, >+ ); >+ binmode $tmp_fh, ':encoding(utf-8)'; >+ print $tmp_fh $content; >+ close $tmp_fh; >+ # File::Temp tries for secure files, but File::Slurp used the umask. >+ chmod(0666 & ~umask, $tmp_filename); >+ rename $tmp_filename, $filename; >+} >+ > sub html_light_quote { > my ($text) = @_; > # admin/table.html.tmpl calls |FILTER html_light| many times. >@@ -588,7 +613,7 @@ sub datetime_from { > second => defined($time[0]) ? int($time[0]) : undef, > # If a timezone was specified, use it. Otherwise, use the > # local timezone. >- time_zone => Bugzilla->local_timezone->offset_as_string($time[6]) >+ time_zone => DateTime::TimeZone->offset_as_string($time[6]) > || Bugzilla->local_timezone, > ); > >diff --git a/attachment.cgi b/attachment.cgi >index 40b0c9d3..4cd9229f 100755 >--- a/attachment.cgi >+++ b/attachment.cgi >@@ -35,6 +35,7 @@ use Encode::MIME::Header; # Required to alter Encode::Encoding{'MIME-Q'}. > local our $cgi = Bugzilla->cgi; > local our $template = Bugzilla->template; > local our $vars = {}; >+local $Bugzilla::CGI::ALLOW_UNSAFE_RESPONSE = 1; > > # All calls to this script should contain an "action" variable whose > # value determines what the user wants to do. The code below checks >diff --git a/contrib/jb2bz.py b/contrib/jb2bz.py >index 85f95423..caaa0c5e 100755 >--- a/contrib/jb2bz.py >+++ b/contrib/jb2bz.py >@@ -17,8 +17,8 @@ This code requires a recent version of Andy Dustman's MySQLdb interface, > Share and enjoy. > """ > >-import rfc822, mimetools, multifile, mimetypes, email.utils >-import sys, re, glob, StringIO, os, stat, time >+import email, mimetypes, email.utils >+import sys, re, glob, os, stat, time > import MySQLdb, getopt > > # mimetypes doesn't include everything we might encounter, yet. >@@ -89,10 +89,24 @@ def process_notes_file(current, fname): > def process_reply_file(current, fname): > new_note = {} > reply = open(fname, "r") >- msg = rfc822.Message(reply) >- new_note['text'] = "%s\n%s" % (msg['From'], msg.fp.read()) >- new_note['timestamp'] = email.utils.parsedate_tz(msg['Date']) >- current["notes"].append(new_note) >+ msg = email.message_from_file(reply) >+ >+ # Add any attachments that may have been in a followup or reply >+ msgtype = msg.get_content_maintype() >+ if msgtype == "multipart": >+ for part in msg.walk(): >+ new_note = {} >+ if part.get_filename() is None: >+ if part.get_content_type() == "text/plain": >+ new_note['timestamp'] = time.gmtime(email.utils.mktime_tz(email.utils.parsedate_tz(msg['Date']))) >+ new_note['text'] = "%s\n%s" % (msg['From'], part.get_payload()) >+ current["notes"].append(new_note) >+ else: >+ maybe_add_attachment(part, current) >+ else: >+ new_note['text'] = "%s\n%s" % (msg['From'], msg.get_payload()) >+ new_note['timestamp'] = time.gmtime(email.utils.mktime_tz(email.utils.parsedate_tz(msg['Date']))) >+ current["notes"].append(new_note) > > def add_notes(current): > """Add any notes that have been recorded for the current bug.""" >@@ -104,51 +118,48 @@ def add_notes(current): > for f in glob.glob("%d.followup.*" % current['number']): > process_reply_file(current, f) > >-def maybe_add_attachment(current, file, submsg): >+def maybe_add_attachment(submsg, current): > """Adds the attachment to the current record""" >- cd = submsg["Content-Disposition"] >- m = re.search(r'filename="([^"]+)"', cd) >- if m == None: >+ attachment_filename = submsg.get_filename() >+ if attachment_filename is None: > return >- attachment_filename = m.group(1) >- if (submsg.gettype() == 'application/octet-stream'): >+ >+ if (submsg.get_content_type() == 'application/octet-stream'): > # try get a more specific content-type for this attachment >- type, encoding = mimetypes.guess_type(m.group(1)) >- if type == None: >- type = submsg.gettype() >+ mtype, encoding = mimetypes.guess_type(attachment_filename) >+ if mtype == None: >+ mtype = submsg.get_content_type() > else: >- type = submsg.gettype() >+ mtype = submsg.get_content_type() > >- try: >- data = StringIO.StringIO() >- mimetools.decode(file, data, submsg.getencoding()) >- except: >+ if mtype == 'application/x-pkcs7-signature': >+ return >+ >+ if mtype == 'application/pkcs7-signature': >+ return >+ >+ if mtype == 'application/pgp-signature': > return > >- current['attachments'].append( ( attachment_filename, type, data.getvalue() ) ) >+ if mtype == 'message/rfc822': >+ return > >-def process_mime_body(current, file, submsg): >- data = StringIO.StringIO() > try: >- mimetools.decode(file, data, submsg.getencoding()) >- current['description'] = data.getvalue() >+ data = submsg.get_payload(decode=True) > except: > return > >+ current['attachments'].append( ( attachment_filename, mtype, data ) ) >+ > def process_text_plain(msg, current): >- current['description'] = msg.fp.read() >- >-def process_multi_part(file, msg, current): >- mf = multifile.MultiFile(file) >- mf.push(msg.getparam("boundary")) >- while mf.next(): >- submsg = mimetools.Message(file) >- if submsg.has_key("Content-Disposition"): >- maybe_add_attachment(current, mf, submsg) >+ current['description'] = msg.get_payload() >+ >+def process_multi_part(msg, current): >+ for part in msg.walk(): >+ if part.get_filename() is None: >+ process_text_plain(part, current) > else: >- # This is the message body itself (always?), so process >- # accordingly >- process_mime_body(current, mf, submsg) >+ maybe_add_attachment(part, current) > > def process_jitterbug(filename): > current = {} >@@ -158,39 +169,37 @@ def process_jitterbug(filename): > current['description'] = '' > current['date-reported'] = () > current['short-description'] = '' >- >- print "Processing: %d" % current['number'] > >- file = open(filename, "r") >- create_date = os.fstat(file.fileno()) >- msg = mimetools.Message(file) >+ print "Processing: %d" % current['number'] > >- msgtype = msg.gettype() >+ mfile = open(filename, "r") >+ create_date = os.fstat(mfile.fileno()) >+ msg = email.message_from_file(mfile) > >- add_notes(current) >- current['date-reported'] = email.utils.parsedate_tz(msg['Date']) >+ current['date-reported'] = time.gmtime(email.utils.mktime_tz(email.utils.parsedate_tz(msg['Date']))) > if current['date-reported'] is None: > current['date-reported'] = time.gmtime(create_date[stat.ST_MTIME]) > > if current['date-reported'][0] < 1900: > current['date-reported'] = time.gmtime(create_date[stat.ST_MTIME]) > >- if msg.getparam('Subject') is not None: >+ if msg.has_key('Subject') is not False: > current['short-description'] = msg['Subject'] > else: > current['short-description'] = "Unknown" > >- if msgtype[:5] == 'text/': >+ msgtype = msg.get_content_maintype() >+ if msgtype == 'text': > process_text_plain(msg, current) >- elif msgtype[:5] == 'text': >- process_text_plain(msg, current) >- elif msgtype[:10] == "multipart/": >- process_multi_part(file, msg, current) >+ elif msgtype == "multipart": >+ process_multi_part(msg, current) > else: > # Huh? This should never happen. > print "Unknown content-type: %s" % msgtype > sys.exit(1) > >+ add_notes(current) >+ > # At this point we have processed the message: we have all of the notes and > # attachments stored, so it's time to add things to the database. > # The schema for JitterBug 2.14 can be found at: >@@ -219,6 +228,7 @@ def process_jitterbug(filename): > try: > cursor.execute( "INSERT INTO bugs SET " \ > "bug_id=%s," \ >+ "priority='---'," \ > "bug_severity='normal'," \ > "bug_status=%s," \ > "creation_ts=%s," \ >@@ -242,7 +252,7 @@ def process_jitterbug(filename): > version, > component, > resolution] ) >- >+ > # This is the initial long description associated with the bug report > cursor.execute( "INSERT INTO longdescs SET " \ > "bug_id=%s," \ >@@ -253,7 +263,7 @@ def process_jitterbug(filename): > reporter, > time.strftime("%Y-%m-%d %H:%M:%S", current['date-reported'][:9]), > current['description'] ] ) >- >+ > # Add whatever notes are associated with this defect > for n in current['notes']: > cursor.execute( "INSERT INTO longdescs SET " \ >@@ -265,15 +275,15 @@ def process_jitterbug(filename): > reporter, > time.strftime("%Y-%m-%d %H:%M:%S", n['timestamp'][:9]), > n['text']]) >- >+ > # add attachments associated with this defect > for a in current['attachments']: > cursor.execute( "INSERT INTO attachments SET " \ >- "bug_id=%s, creation_ts=%s, description='', mimetype=%s," \ >+ "bug_id=%s, creation_ts=%s, description=%s, mimetype=%s," \ > "filename=%s, submitter_id=%s", > [ current['number'], > time.strftime("%Y-%m-%d %H:%M:%S", current['date-reported'][:9]), >- a[1], a[0], reporter ]) >+ a[0], a[1], a[0], reporter ]) > cursor.execute( "INSERT INTO attach_data SET " \ > "id=LAST_INSERT_ID(), thedata=%s", > [ a[2] ]) >diff --git a/editflagtypes.cgi b/editflagtypes.cgi >index d0b9443b..71f7cb65 100755 >--- a/editflagtypes.cgi >+++ b/editflagtypes.cgi >@@ -453,7 +453,7 @@ sub get_products_and_components { > > # Let's sort the list by classifications. > @products = (); >- push(@products, @{$class{$_->id}}) foreach Bugzilla::Classification->get_all; >+ push(@products, @{$class{$_->id} || []}) foreach Bugzilla::Classification->get_all; > } > } > >diff --git a/taskgraph.json b/taskgraph.json >index 7433db6f..ba1d1f3e 100644 >--- a/taskgraph.json >+++ b/taskgraph.json >@@ -17,8 +17,8 @@ > "provisionerId": "aws-provisioner-v1", > "workerType": "b2gtest", > "payload": { >- "image": "dklawren/docker-bugzilla", >- "command": ["/runtests.sh"], >+ "image": "bugzilla/bugzilla-ci", >+ "command": ["runtests.sh"], > "env": { > "TEST_SUITE": "sanity" > }, >@@ -54,8 +54,8 @@ > "provisionerId": "aws-provisioner-v1", > "workerType": "b2gtest", > "payload": { >- "image": "dklawren/docker-bugzilla", >- "command": ["/runtests.sh"], >+ "image": "bugzilla/bugzilla-ci", >+ "command": ["runtests.sh"], > "env": { > "TEST_SUITE": "docs" > }, >@@ -91,8 +91,8 @@ > "provisionerId": "aws-provisioner-v1", > "workerType": "b2gtest", > "payload": { >- "image": "dklawren/docker-bugzilla", >- "command": ["/runtests.sh"], >+ "image": "bugzilla/bugzilla-ci", >+ "command": ["runtests.sh"], > "env": { > "TEST_SUITE": "webservices" > }, >@@ -133,15 +133,15 @@ > "provisionerId": "aws-provisioner-v1", > "workerType": "b2gtest", > "payload": { >- "image": "dklawren/docker-bugzilla", >- "command": ["/runtests.sh"], >+ "image": "bugzilla/bugzilla-ci", >+ "command": ["runtests.sh"], > "env": { > "TEST_SUITE": "selenium" > }, > "artifacts": { > "public/runtests_log": { > "type": "file", >- "path": "/runtests.log", >+ "path": "/tmp/runtests.log", > "expires": "2018-02-17T17:33:38.806Z" > }, > "public/httpd_error_log": { >@@ -151,7 +151,7 @@ > }, > "public/selenium_log": { > "type": "file", >- "path": "/selenium.log", >+ "path": "/tmp/selenium.log", > "expires": "2018-02-17T17:33:38.806Z" > } > } >@@ -180,15 +180,16 @@ > "provisionerId": "aws-provisioner-v1", > "workerType": "b2gtest", > "payload": { >- "image": "dklawren/docker-bugzilla:pgsql", >- "command": ["/runtests.sh"], >+ "image": "bugzilla/bugzilla-ci", >+ "command": ["runtests.sh"], > "env": { >+ "BUGS_DB_DRIVER": "pg", > "TEST_SUITE": "webservices" > }, > "artifacts": { > "public/runtests_log": { > "type": "file", >- "path": "/runtests.log", >+ "path": "/tmp/runtests.log", > "expires": "2018-02-17T17:33:38.806Z" > }, > "public/httpd_error_log": { >@@ -222,15 +223,16 @@ > "provisionerId": "aws-provisioner-v1", > "workerType": "b2gtest", > "payload": { >- "image": "dklawren/docker-bugzilla:pgsql", >- "command": ["/runtests.sh"], >+ "image": "bugzilla/bugzilla-ci", >+ "command": ["runtests.sh"], > "env": { >+ "BUGS_DB_DRIVER": "pg", > "TEST_SUITE": "selenium" > }, > "artifacts": { > "public/runtests_log": { > "type": "file", >- "path": "/runtests.log", >+ "path": "/tmp/runtests.log", > "expires": "2018-02-17T17:33:38.806Z" > }, > "public/httpd_error_log": { >@@ -240,7 +242,7 @@ > }, > "public/selenium_log": { > "type": "file", >- "path": "/selenium.log", >+ "path": "/tmp/selenium.log", > "expires": "2018-02-17T17:33:38.806Z" > } > } >diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl >index 358298bc..b89e3a61 100644 >--- a/template/en/default/pages/release-notes.html.tmpl >+++ b/template/en/default/pages/release-notes.html.tmpl >@@ -43,6 +43,27 @@ > > <h2 id="point">Updates in this 5.0.x Release</h2> > >+<h3>5.0.4</h3> >+ >+<p>This release fixes one security issue. See the >+ <a href="https://www.bugzilla.org/security/4.4.12/">Security Advisory</a> >+ for details.</p> >+ >+<p>This release also contains the following [% terms.bug %] fixes:</p> >+ >+<ul> >+ <li><kbd>checksetup.pl</kbd> would fail to update Chart storage during pre-3.6 to 5.0 upgrade. >+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1273846">[% terms.Bug %] 1273846</a>)</li> >+ <li><kbd>editflagtypes.cgi</kbd> would crash when classifications are enabled and >+ the user did not have global <kbd>editcomponents</kbd> privileges. >+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1310728">[% terms.Bug %] 1310728</a>)</li> >+ <li>The <kbd>File::Slurp</kbd> would trigger warnings on perl 5.24. >+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1301887">[% terms.Bug %] 1301887</a>)</li> >+ <li>All the time entries in the 'when' column had the correct date but the time >+ was fixed to 00:00 when using Sqlite. >+ (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1303702">[% terms.Bug %] 1303702</a>)</li> >+</ul> >+ > <h3>5.0.3</h3> > > <p>This release fixes one security issue. See the >@@ -69,7 +90,7 @@ > (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1259881">[% terms.Bug %] 1259881</a>)</li> > <li>An extension which allows user-controlled data to be used as a link in > tabs could trigger XSS if the data is not correctly sanitized. >- [%+ terms. Bugzilla %] no longer relies on the extension to do the sanity >+ [%+ terms.Bugzilla %] no longer relies on the extension to do the sanity > check. A vanilla installation is not affected as no tab is user-controlled. > (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1250114">[% terms.Bug %] 1250114</a>)</li> > <li>Extensions can now easily override the favicon used for the >@@ -174,7 +195,7 @@ > <h3 id="req_modules">Required Perl Modules</h3> > > [% INCLUDE req_table reqs = REQUIRED_MODULES >- new = ['File-Slurp','JSON-XS', 'Email-Sender'] >+ new = ['JSON-XS', 'Email-Sender'] > updated = ['DateTime', 'DateTime-TimeZone', > 'Template-Toolkit', 'URI'] %] > >@@ -205,6 +226,7 @@ > you.</p> > > >+<a name="v50_feat"></a> > <h2 id="feat">New Features and Improvements</h2> > > <ul>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=193308">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 228182
: 193308