Merge remote-tracking branch 'upstream/release-4.4-stable'gentoo-4.4.11

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

10 files changed, 43 insertions, 53 deletions

diff --git a/.htaccess b/.htaccess
index 33e80ef7a..82b90e1de 100644
--- a/.htaccess
+++ b/.htaccess
@@ -5,12 +5,7 @@
      Deny from all
     </IfVersion>
     <IfVersion >= 2.4>
-      <IfModule mod_perl.c>
-        Deny from all
-      </IfModule>
-      <IfModule !mod_perl.c>
-        Require all denied
-      </IfModule>
+      Require all denied
     </IfVersion>
   </IfModule>
   <IfModule !mod_version.c>
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index f7fb852c1..81af87690 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -182,7 +182,7 @@ use Memoize;
 # CONSTANTS
 #
 # Bugzilla version
-use constant BUGZILLA_VERSION => "4.4.10";
+use constant BUGZILLA_VERSION => "4.4.11";
 
 # Location of the remote and local XML files to track new releases.
 use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml';
diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm
index 9721c1702..f3416f837 100644
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -48,12 +48,7 @@ use constant HT_DEFAULT_DENY => <<EOT;
     Deny from all
   </IfVersion>
   <IfVersion >= 2.4>
-    <IfModule mod_perl.c>
-      Deny from all
-    </IfModule>
-    <IfModule !mod_perl.c>
-      Require all denied
-    </IfModule>
+    Require all denied
   </IfVersion>
 </IfModule>
 <IfModule !mod_version.c>
@@ -349,12 +344,7 @@ EOT
       Allow from all
     </IfVersion>
     <IfVersion >= 2.4>
-      <IfModule mod_perl.c>
-        Allow from all
-      </IfModule>
-      <IfModule !mod_perl.c>
-        Require all granted
-      </IfModule>
+      Require all granted
     </IfVersion>
   </IfModule>
   <IfModule !mod_version.c>
@@ -368,12 +358,7 @@ EOT
     Deny from all
   </IfVersion>
   <IfVersion >= 2.4>
-    <IfModule mod_perl.c>
-      Deny from all
-    </IfModule>
-    <IfModule !mod_perl.c>
-      Require all denied
-    </IfModule>
+    Require all denied
   </IfVersion>
 </IfModule>
 <IfModule !mod_version.c>
@@ -393,14 +378,8 @@ EOT
       Deny from all
     </IfVersion>
     <IfVersion >= 2.4>
-      <IfModule mod_perl.c>
-        Allow from 192.20.225.0/24
-        Deny from all
-      </IfModule>
-      <IfModule !mod_perl.c>
-        Require ip 192.20.225.0/24
-        Require all denied
-      </IfModule>
+      Require ip 192.20.225.0/24
+      Require all denied
     </IfVersion>
   </IfModule>
   <IfModule !mod_version.c>
@@ -416,12 +395,7 @@ EOT
       Allow from all
     </IfVersion>
     <IfVersion >= 2.4>
-      <IfModule mod_perl.c>
-        Allow from all
-      </IfModule>
-      <IfModule !mod_perl.c>
-        Require all granted
-      </IfModule>
+      Require all granted
     </IfVersion>
   </IfModule>
   <IfModule !mod_version.c>
@@ -435,12 +409,7 @@ EOT
     Deny from all
   </IfVersion>
   <IfVersion >= 2.4>
-    <IfModule mod_perl.c>
-      Deny from all
-    </IfModule>
-    <IfModule !mod_perl.c>
-      Require all denied
-    </IfModule>
+    Require all denied
   </IfVersion>
 </IfModule>
 <IfModule !mod_version.c>
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index a76c13067..caadafe12 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -728,6 +728,9 @@ sub create {
             {
                 my ($var) = @_;
                 $var = ' ' . $var if substr($var, 0, 1) eq '=';
+                # backslash is not special to CSV, but it can be used to confuse some browsers...
+                # so we do not allow it to happen. We only do this for logged-in users.
+                $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id;
                 $var =~ s/\"/\"\"/g;
                 if ($var !~ /^-?(\d+\.)?\d*$/) {
                     $var = "\"$var\"";
diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm
index 1c8d75bb4..e383cb515 100644
--- a/Bugzilla/WebService/Product.pm
+++ b/Bugzilla/WebService/Product.pm
@@ -28,6 +28,7 @@ use constant PUBLIC_METHODS => qw(
     get
     get_accessible_products
     get_enterable_products
+    get_products
     get_selectable_products
     update
 );
diff --git a/docs/bugzilla.ent.tmpl b/docs/bugzilla.ent.tmpl
index 74db0e08b..8c9f8c577 100644
--- a/docs/bugzilla.ent.tmpl
+++ b/docs/bugzilla.ent.tmpl
@@ -1,5 +1,5 @@
-<!ENTITY bz-ver "4.4.10">
-<!ENTITY bz-date "2015-09-10">
+<!ENTITY bz-ver "4.4.11">
+<!ENTITY bz-date "2015-12-22">
 <!ENTITY current-year "2015">
 
 
diff --git a/docs/en/xml/installation.xml b/docs/en/xml/installation.xml
index 5ef6be582..4bc2da7e5 100644
--- a/docs/en/xml/installation.xml
+++ b/docs/en/xml/installation.xml
@@ -1058,7 +1058,7 @@ SetEnv LD_LIBRARY_PATH /u01/app/oracle/product/10.2.0/lib/
 AddHandler cgi-script .cgi
 Options +ExecCGI
 DirectoryIndex index.cgi index.html
-AllowOverride Limit FileInfo Indexes Options
+AllowOverride All
 &lt;/Directory&gt;
                 </programlisting>
     
diff --git a/mod_perl.pl b/mod_perl.pl
index 3f563417f..dba6f1480 100644
--- a/mod_perl.pl
+++ b/mod_perl.pl
@@ -74,7 +74,7 @@ PerlChildInitHandler "sub { Bugzilla::RNG::srand(); srand(); }"
     PerlCleanupHandler  Apache2::SizeLimit Bugzilla::ModPerl::CleanupHandler
     PerlOptions +ParseHeaders
     Options +ExecCGI
-    AllowOverride Limit FileInfo Indexes Options
+    AllowOverride All
     DirectoryIndex index.cgi index.html
 </Directory>
 EOT
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index 4187bdd4e..00fd2061a 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -58,7 +58,7 @@ sub CreateImagemap {
             # Pick up bugid from the mapdata label field. Getting the title from
             # bugtitle hash instead of mapdata allows us to get the summary even
             # when showsummary is off, and also gives us status and resolution.
-            my $bugtitle = html_quote(clean_text($bugtitles{$bugid}));
+            my $bugtitle = $bugtitles{$bugid};
             $map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } .
                     qq{title="$bugtitle" href="$url" } .
                     qq{coords="$leftx,$topy,$rightx,$bottomy">\n};
@@ -176,13 +176,16 @@ foreach my $k (@bug_ids) {
     # Retrieve bug information from the database
     my ($stat, $resolution, $summary) = $dbh->selectrow_array($sth, undef, $k);
 
+    $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id'));
+
     # Resolution and summary are shown only if user can see the bug
-    if (!$user->can_see_bug($k)) {
+    if ($user->can_see_bug($k)) {
+        $summary = html_quote(clean_text($summary));
+    }
+    else {
         $resolution = $summary = '';
     }
 
-    $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id'));
-
     my @params;
 
     if ($summary ne "" && $cgi->param('showsummary')) {
diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl
index d810688a5..7763413bf 100644
--- a/template/en/default/pages/release-notes.html.tmpl
+++ b/template/en/default/pages/release-notes.html.tmpl
@@ -45,6 +45,25 @@
 
 <h2 id="v44_point">Updates in this 4.4.x Release</h2>
 
+<h3>4.4.11</h3>
+
+<p>This release fixes two security issues. See the
+  <a href="https://www.bugzilla.org/security/4.2.15/">Security Advisory</a>
+  for details.</p>
+
+<p>This release also contains the following [% terms.bug %] fix:</p>
+
+<ul>
+  <li>mod_perl now works correctly with mod_access_compat turned off on
+    Apache 2.4. The (incorrect) fix implemented in [% terms.Bugzilla %] 4.4.9
+    has been backed out. To regenerate the <kbd>.htaccess</kbd> files, you
+    must first delete all existing ones in subdirectories:
+    <pre>find . -mindepth 2 -name .htaccess -exec rm -f {} \;</pre>
+    You must then run <kbd>checksetup.pl</kbd> again to recreate them with
+    the correct syntax.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1223790">[% terms.Bug %] 1223790</a>)</li>
+</ul>
+
 <h3>4.4.10</h3>
 
 <p>This release fixes one security issue. See the