diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2015-12-28 12:24:52 -0800 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2015-12-28 12:25:11 -0800 |
commit | 0a87e8fe2f19bd17db27735b61415deaf9b24d56 (patch) | |
tree | 0632d948f1beb776663941d5019c66b7ebdf85c6 | |
parent | Merge remote-tracking branch 'upstream/4.4' (diff) | |
parent | Revert "Bug 1230932 - Providing a condition as an ID to the webservice result... (diff) | |
download | bugzilla-0a87e8fe2f19bd17db27735b61415deaf9b24d56.tar.gz bugzilla-0a87e8fe2f19bd17db27735b61415deaf9b24d56.tar.bz2 bugzilla-0a87e8fe2f19bd17db27735b61415deaf9b24d56.zip |
Merge remote-tracking branch 'upstream/release-4.4-stable'gentoo-4.4.11
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
-rw-r--r-- | .htaccess | 7 | ||||
-rw-r--r-- | Bugzilla/Constants.pm | 2 | ||||
-rw-r--r-- | Bugzilla/Install/Filesystem.pm | 45 | ||||
-rw-r--r-- | Bugzilla/Template.pm | 3 | ||||
-rw-r--r-- | Bugzilla/WebService/Product.pm | 1 | ||||
-rw-r--r-- | docs/bugzilla.ent.tmpl | 4 | ||||
-rw-r--r-- | docs/en/xml/installation.xml | 2 | ||||
-rw-r--r-- | mod_perl.pl | 2 | ||||
-rwxr-xr-x | showdependencygraph.cgi | 11 | ||||
-rw-r--r-- | template/en/default/pages/release-notes.html.tmpl | 19 |
10 files changed, 43 insertions, 53 deletions
@@ -5,12 +5,7 @@ Deny from all </IfVersion> <IfVersion >= 2.4> - <IfModule mod_perl.c> - Deny from all - </IfModule> - <IfModule !mod_perl.c> - Require all denied - </IfModule> + Require all denied </IfVersion> </IfModule> <IfModule !mod_version.c> diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index f7fb852c1..81af87690 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -182,7 +182,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.4.10"; +use constant BUGZILLA_VERSION => "4.4.11"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm index 9721c1702..f3416f837 100644 --- a/Bugzilla/Install/Filesystem.pm +++ b/Bugzilla/Install/Filesystem.pm @@ -48,12 +48,7 @@ use constant HT_DEFAULT_DENY => <<EOT; Deny from all </IfVersion> <IfVersion >= 2.4> - <IfModule mod_perl.c> - Deny from all - </IfModule> - <IfModule !mod_perl.c> - Require all denied - </IfModule> + Require all denied </IfVersion> </IfModule> <IfModule !mod_version.c> @@ -349,12 +344,7 @@ EOT Allow from all </IfVersion> <IfVersion >= 2.4> - <IfModule mod_perl.c> - Allow from all - </IfModule> - <IfModule !mod_perl.c> - Require all granted - </IfModule> + Require all granted </IfVersion> </IfModule> <IfModule !mod_version.c> @@ -368,12 +358,7 @@ EOT Deny from all </IfVersion> <IfVersion >= 2.4> - <IfModule mod_perl.c> - Deny from all - </IfModule> - <IfModule !mod_perl.c> - Require all denied - </IfModule> + Require all denied </IfVersion> </IfModule> <IfModule !mod_version.c> @@ -393,14 +378,8 @@ EOT Deny from all </IfVersion> <IfVersion >= 2.4> - <IfModule mod_perl.c> - Allow from 192.20.225.0/24 - Deny from all - </IfModule> - <IfModule !mod_perl.c> - Require ip 192.20.225.0/24 - Require all denied - </IfModule> + Require ip 192.20.225.0/24 + Require all denied </IfVersion> </IfModule> <IfModule !mod_version.c> @@ -416,12 +395,7 @@ EOT Allow from all </IfVersion> <IfVersion >= 2.4> - <IfModule mod_perl.c> - Allow from all - </IfModule> - <IfModule !mod_perl.c> - Require all granted - </IfModule> + Require all granted </IfVersion> </IfModule> <IfModule !mod_version.c> @@ -435,12 +409,7 @@ EOT Deny from all </IfVersion> <IfVersion >= 2.4> - <IfModule mod_perl.c> - Deny from all - </IfModule> - <IfModule !mod_perl.c> - Require all denied - </IfModule> + Require all denied </IfVersion> </IfModule> <IfModule !mod_version.c> diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index a76c13067..caadafe12 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -728,6 +728,9 @@ sub create { { my ($var) = @_; $var = ' ' . $var if substr($var, 0, 1) eq '='; + # backslash is not special to CSV, but it can be used to confuse some browsers... + # so we do not allow it to happen. We only do this for logged-in users. + $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id; $var =~ s/\"/\"\"/g; if ($var !~ /^-?(\d+\.)?\d*$/) { $var = "\"$var\""; diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index 1c8d75bb4..e383cb515 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -28,6 +28,7 @@ use constant PUBLIC_METHODS => qw( get get_accessible_products get_enterable_products + get_products get_selectable_products update ); diff --git a/docs/bugzilla.ent.tmpl b/docs/bugzilla.ent.tmpl index 74db0e08b..8c9f8c577 100644 --- a/docs/bugzilla.ent.tmpl +++ b/docs/bugzilla.ent.tmpl @@ -1,5 +1,5 @@ -<!ENTITY bz-ver "4.4.10"> -<!ENTITY bz-date "2015-09-10"> +<!ENTITY bz-ver "4.4.11"> +<!ENTITY bz-date "2015-12-22"> <!ENTITY current-year "2015"> diff --git a/docs/en/xml/installation.xml b/docs/en/xml/installation.xml index 5ef6be582..4bc2da7e5 100644 --- a/docs/en/xml/installation.xml +++ b/docs/en/xml/installation.xml @@ -1058,7 +1058,7 @@ SetEnv LD_LIBRARY_PATH /u01/app/oracle/product/10.2.0/lib/ AddHandler cgi-script .cgi Options +ExecCGI DirectoryIndex index.cgi index.html -AllowOverride Limit FileInfo Indexes Options +AllowOverride All </Directory> </programlisting> diff --git a/mod_perl.pl b/mod_perl.pl index 3f563417f..dba6f1480 100644 --- a/mod_perl.pl +++ b/mod_perl.pl @@ -74,7 +74,7 @@ PerlChildInitHandler "sub { Bugzilla::RNG::srand(); srand(); }" PerlCleanupHandler Apache2::SizeLimit Bugzilla::ModPerl::CleanupHandler PerlOptions +ParseHeaders Options +ExecCGI - AllowOverride Limit FileInfo Indexes Options + AllowOverride All DirectoryIndex index.cgi index.html </Directory> EOT diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index 4187bdd4e..00fd2061a 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -58,7 +58,7 @@ sub CreateImagemap { # Pick up bugid from the mapdata label field. Getting the title from # bugtitle hash instead of mapdata allows us to get the summary even # when showsummary is off, and also gives us status and resolution. - my $bugtitle = html_quote(clean_text($bugtitles{$bugid})); + my $bugtitle = $bugtitles{$bugid}; $map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } . qq{title="$bugtitle" href="$url" } . qq{coords="$leftx,$topy,$rightx,$bottomy">\n}; @@ -176,13 +176,16 @@ foreach my $k (@bug_ids) { # Retrieve bug information from the database my ($stat, $resolution, $summary) = $dbh->selectrow_array($sth, undef, $k); + $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id')); + # Resolution and summary are shown only if user can see the bug - if (!$user->can_see_bug($k)) { + if ($user->can_see_bug($k)) { + $summary = html_quote(clean_text($summary)); + } + else { $resolution = $summary = ''; } - $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id')); - my @params; if ($summary ne "" && $cgi->param('showsummary')) { diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index d810688a5..7763413bf 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -45,6 +45,25 @@ <h2 id="v44_point">Updates in this 4.4.x Release</h2> +<h3>4.4.11</h3> + +<p>This release fixes two security issues. See the + <a href="https://www.bugzilla.org/security/4.2.15/">Security Advisory</a> + for details.</p> + +<p>This release also contains the following [% terms.bug %] fix:</p> + +<ul> + <li>mod_perl now works correctly with mod_access_compat turned off on + Apache 2.4. The (incorrect) fix implemented in [% terms.Bugzilla %] 4.4.9 + has been backed out. To regenerate the <kbd>.htaccess</kbd> files, you + must first delete all existing ones in subdirectories: + <pre>find . -mindepth 2 -name .htaccess -exec rm -f {} \;</pre> + You must then run <kbd>checksetup.pl</kbd> again to recreate them with + the correct syntax. + (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1223790">[% terms.Bug %] 1223790</a>)</li> +</ul> + <h3>4.4.10</h3> <p>This release fixes one security issue. See the |