diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..1f1a91bb4 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,10 @@ + + +#### Additional info + +* [bug#](https://bugzilla.mozilla.org/show_bug.cgi?id=) + diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..30ca4583b --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,82 @@ +# This is a basic workflow to help you get started with Actions + +name: Release Tests + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the main branch +on: + push: + branches: [ 4.4 ] + pull_request: + branches: [ 4.4 ] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + ubuntu: + name: Release Tests on Ubuntu 20.04 + runs-on: ubuntu-20.04 + steps: + - name: Checkout the repository + uses: actions/checkout@v4 + - name: apt install + run: | + sudo apt-get update + sudo apt-get -y dist-upgrade + sudo apt-get install --ignore-hold --allow-downgrades -y \ + apache2 \ + mariadb-client-10.3 \ + netcat \ + libappconfig-perl \ + libdate-calc-perl \ + libtemplate-perl \ + build-essential \ + libdatetime-timezone-perl \ + libdatetime-perl \ + libemail-address-perl \ + libemail-sender-perl \ + libemail-mime-perl \ + libemail-mime-modifier-perl \ + libdbi-perl \ + libdbix-connector-perl \ + libdbd-mysql-perl \ + libcgi-pm-perl \ + libmath-random-isaac-perl \ + libmath-random-isaac-xs-perl \ + libapache2-mod-perl2 \ + libapache2-mod-perl2-dev \ + libchart-perl \ + libxml-perl \ + libxml-twig-perl \ + perlmagick \ + libgd-graph-perl \ + libtemplate-plugin-gd-perl \ + libsoap-lite-perl \ + libhtml-scrubber-perl \ + libjson-rpc-perl \ + libdaemon-generic-perl \ + libtheschwartz-perl \ + libtest-taint-perl \ + libauthen-radius-perl \ + libfile-slurp-perl \ + libencode-detect-perl \ + libmodule-build-perl \ + libnet-ldap-perl \ + libauthen-sasl-perl \ + libfile-mimeinfo-perl \ + libhtml-formattext-withlinks-perl \ + libpod-coverage-perl \ + liblocal-lib-perl \ + cpanminus \ + graphviz + # apparently we can't get this from apt on Ubuntu + - name: Install Email::Send from CPAN + run: 'cpanm --sudo install Return::Value Email::Send' + - name: Get Perl Version and debug info + run: '/usr/bin/perl -V' + - name: Run tests + run: | + export PATH="${GITHUB_WORKSPACE}/perl5/bin${PATH:+:${PATH}}" + export PERL5LIB="${GITHUB_WORKSPACE}/perl5${PERL5LIB:+:${PERL5LIB}}" + /usr/bin/perl runtests.pl diff --git a/.htaccess b/.htaccess index 3b464a475..22e6658bd 100644 --- a/.htaccess +++ b/.htaccess @@ -1,6 +1,16 @@ # Don't allow people to retrieve non-cgi executable files or our private data - deny from all + + + Deny from all + + = 2.4> + Require all denied + + + + Deny from all + Options -Indexes diff --git a/.travis.yml b/.travis.yml index 94c9ce1d2..1bbf29483 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,8 @@ language: perl + +addons: + postgresql: "9.1" + perl: - 5.10 - 5.12 @@ -29,6 +33,10 @@ before_install: install: true +before_script: + - mysql -u root mysql -e "GRANT ALL PRIVILEGES ON *.* TO bugs@localhost IDENTIFIED BY 'bugs'; FLUSH PRIVILEGES;" + - psql -c "CREATE USER bugs WITH PASSWORD 'bugs' CREATEDB;" -U postgres + script: ./qa/travis.sh after_failure: diff --git a/Bugzilla/BugMail.pm b/Bugzilla/BugMail.pm index 5a2c9b788..644ed1f1c 100644 --- a/Bugzilla/BugMail.pm +++ b/Bugzilla/BugMail.pm @@ -387,9 +387,10 @@ sub _generate_bugmail { # TT trims the trailing newline, and threadingmarker may be ignored. my $email = new Email::MIME("$msg_header\n"); - if (scalar(@parts) == 1) { - $email->content_type_set($parts[0]->content_type); - } else { + + # If there's only one part, we don't need to set the overall content type + # because Email::MIME will automatically take it from that part (bug 1657496) + if (scalar(@parts) > 1) { $email->content_type_set('multipart/alternative'); # Some mail clients need same encoding for each part, even empty ones. $email->charset_set('UTF-8') if Bugzilla->params->{'utf8'}; diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 7df916b0c..19332b17a 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -283,6 +283,69 @@ sub close_standby_message { } } +our $ALLOW_UNSAFE_RESPONSE = 0; +# responding to text/plain or text/html is safe +# responding to any request with a referer header is safe +# some things need to have unsafe responses (attachment.cgi) +# everything else should get a 403. +sub _prevent_unsafe_response { + my ($self, $headers) = @_; + my $safe_content_type_re = qr{ + ^ (*COMMIT) # COMMIT makes the regex faster + # by preventing back-tracking. see also perldoc pelre. + # application/x-javascript, xml, atom+xml, rdf+xml, xml-dtd, and json + (?: application/ (?: x(?: -javascript | ml (?: -dtd )? ) + | (?: atom | rdf) \+ xml + | json ) + # text/csv, text/calendar, text/plain, and text/html + | text/ (?: c (?: alendar | sv ) + | plain + | html ) + # used for HTTP push responses + | multipart/x-mixed-replace) + }sx; + my $safe_referer_re = do { + # Note that urlbase must end with a /. + # It almost certainly does, but let's be extra careful. + my $urlbase = correct_urlbase(); + $urlbase =~ s{/$}{}; + qr{ + # Begins with literal urlbase + ^ (*COMMIT) + \Q$urlbase\E + # followed by a slash or end of string + (?: / + | $ ) + }sx + }; + + return if $ALLOW_UNSAFE_RESPONSE; + + if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) { + # Safe content types are ones that arn't images. + # For now let's assume plain text and html are not valid images. + my $content_type = $headers->{'-type'} // $headers->{'-content_type'} // 'text/html'; + my $is_safe_content_type = $content_type =~ $safe_content_type_re; + + # Safe referers are ones that begin with the urlbase. + my $referer = $self->referer; + my $is_safe_referer = $referer && $referer =~ $safe_referer_re; + + if (!$is_safe_referer && !$is_safe_content_type) { + print $self->SUPER::header(-type => 'text/html', -status => '403 Forbidden'); + if ($content_type ne 'text/html') { + print "Untrusted Referer Header\n"; + if ($ENV{MOD_PERL}) { + my $r = $self->r; + $r->rflush; + $r->status(200); + } + } + exit; + } + } +} + # Override header so we can add the cookies in sub header { my $self = shift; @@ -293,6 +356,7 @@ sub header { # Since we're adding parameters below, we have to name it. unshift(@_, '-type' => shift(@_)); } + $self->_prevent_unsafe_response({@_}); if (!$user->id && $user->authorizer->can_login && !$self->cookie('Bugzilla_login_request_cookie')) diff --git a/Bugzilla/Chart.pm b/Bugzilla/Chart.pm index e343a0535..968d9a09b 100644 --- a/Bugzilla/Chart.pm +++ b/Bugzilla/Chart.pm @@ -418,11 +418,9 @@ sub dump { # Make sure we've read in our data my $data = $self->data; - + require Data::Dumper; - say "
Bugzilla::Chart object:";
-    print html_quote(Data::Dumper::Dumper($self));
-    print "
"; + return Data::Dumper::Dumper($self); } 1; diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index bd5b2dabc..ae9e8da55 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -182,7 +182,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.4.7"; +use constant BUGZILLA_VERSION => "4.4.14"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; diff --git a/Bugzilla/DB/Sqlite.pm b/Bugzilla/DB/Sqlite.pm index 47cb0cd25..3470ffc12 100644 --- a/Bugzilla/DB/Sqlite.pm +++ b/Bugzilla/DB/Sqlite.pm @@ -215,6 +215,7 @@ sub sql_date_format { my ($self, $date, $format) = @_; $format = "%Y.%m.%d %H:%M:%S" if !$format; $format =~ s/\%i/\%M/g; + $format =~ s/\%s/\%S/g; return "STRFTIME(" . $self->quote($format) . ", $date)"; } diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm index aac447e28..eaca1f8b4 100644 --- a/Bugzilla/Install/Filesystem.pm +++ b/Bugzilla/Install/Filesystem.pm @@ -43,7 +43,17 @@ our @EXPORT = qw( use constant HT_DEFAULT_DENY => < + + Deny from all + + = 2.4> + Require all denied + + + + Deny from all + EOT ############### @@ -329,11 +339,31 @@ EOT "$graphsdir/.htaccess" => { perms => WS_SERVE, contents => < - Allow from all + + + Allow from all + + = 2.4> + Require all granted + + + + Allow from all + # And no directory listings, either. -Deny from all + + + Deny from all + + = 2.4> + Require all denied + + + + Deny from all + EOT }, @@ -342,17 +372,49 @@ EOT # if research.att.com ever changes their IP, or if you use a different # webdot server, you'll need to edit this - Allow from 192.20.225.0/24 - Deny from all + + + Allow from 192.20.225.0/24 + Deny from all + + = 2.4> + Require ip 192.20.225.0/24 + Require all denied + + + + Allow from 192.20.225.0/24 + Deny from all + # Allow access to .png files created by a local copy of 'dot' - Allow from all + + + Allow from all + + = 2.4> + Require all granted + + + + Allow from all + # And no directory listings, either. -Deny from all + + + Deny from all + + = 2.4> + Require all denied + + + + Deny from all + EOT }, ); diff --git a/Bugzilla/Install/Requirements.pm b/Bugzilla/Install/Requirements.pm index fbd7d7882..16a06d5eb 100644 --- a/Bugzilla/Install/Requirements.pm +++ b/Bugzilla/Install/Requirements.pm @@ -129,10 +129,12 @@ sub REQUIRED_MODULES { }, # 2.22 fixes various problems related to UTF8 strings in hash keys, # as well as line endings on Windows. + # 2.28-3.007 are broken, see https://bugzilla.mozilla.org/show_bug.cgi?id=1560873 { package => 'Template-Toolkit', module => 'Template', - version => '2.22' + version => '2.22', + blacklist => ['^2.2[89]$', '^3.00[0-7]$'] }, # 2.04 implement the "Test" method (to write to data/mailer.testfile). { @@ -141,6 +143,11 @@ sub REQUIRED_MODULES { version => ON_WINDOWS ? '2.16' : '2.04', blacklist => ['^2\.196$'] }, + { + package => 'Email-Address', + module => 'Email::Address', + version => 0, + }, { package => 'Email-MIME', module => 'Email::MIME', @@ -168,7 +175,8 @@ sub REQUIRED_MODULES { ); if (ON_WINDOWS) { - push(@modules, { + push(@modules, + { package => 'Win32', module => 'Win32', # 0.35 fixes a memory leak in GetOSVersion, which we use. @@ -179,7 +187,14 @@ sub REQUIRED_MODULES { module => 'Win32::API', # 0.55 fixes a bug with char* that might affect Bugzilla::RNG. version => '0.55', - }); + }, + { + package => 'DateTime-TimeZone-Local-Win32', + module => 'DateTime::TimeZone::Local::Win32', + # We require DateTime::TimeZone 0.79, so this version must match. + version => '0.79', + } + ); } my $extra_modules = _get_extension_requirements('REQUIRED_MODULES'); diff --git a/Bugzilla/Mailer.pm b/Bugzilla/Mailer.pm index 64640150b..1149eb0ad 100644 --- a/Bugzilla/Mailer.pm +++ b/Bugzilla/Mailer.pm @@ -19,8 +19,6 @@ use Bugzilla::Util; use Date::Format qw(time2str); -use Encode qw(encode); -use Encode::MIME::Header; use Email::Address; use Email::MIME; # Return::Value 1.666002 pollutes the error log with warnings about this @@ -71,22 +69,12 @@ sub MessageToMTA { # MIME-Version must be set otherwise some mailsystems ignore the charset $email->header_set('MIME-Version', '1.0') if !$email->header('MIME-Version'); - # Encode the headers correctly in quoted-printable + # Encode the headers correctly. foreach my $header ($email->header_names) { my @values = $email->header($header); - # We don't recode headers that happen multiple times. - next if scalar(@values) > 1; - if (my $value = $values[0]) { - if (Bugzilla->params->{'utf8'} && !utf8::is_utf8($value)) { - utf8::decode($value); - } - - # avoid excessive line wrapping done by Encode. - local $Encode::Encoding{'MIME-Q'}->{'bpl'} = 998; + map { utf8::decode($_) if defined($_) && !utf8::is_utf8($_) } @values; - my $encoded = encode('MIME-Q', $value); - $email->header_set($header, $encoded); - } + $email->header_str_set($header, @values); } my $from = $email->header('From'); diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index eaab6002e..d67df03dd 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -31,7 +31,7 @@ use Date::Format; use Date::Parse; use Scalar::Util qw(blessed); use List::MoreUtils qw(all firstidx part uniq); -use POSIX qw(INT_MAX); +use POSIX qw(INT_MAX floor); use Storable qw(dclone); use Time::HiRes qw(gettimeofday tv_interval); @@ -2129,7 +2129,8 @@ sub SqlifyDate { } elsif ($unit eq 'm') { $month -= $amount; - while ($month<0) { $year--; $month += 12; } + $year += floor($month/12); + $month %= 12; if ($startof) { return sprintf("%4d-%02d-01 00:00:00", $year+1900, $month+1); } @@ -2400,11 +2401,17 @@ sub _user_nonchanged { sub _long_desc_changedby { my ($self, $args) = @_; my ($chart_id, $joins, $value) = @$args{qw(chart_id joins value)}; - + my $table = "longdescs_$chart_id"; push(@$joins, { table => 'longdescs', as => $table }); my $user_id = $self->_get_user_id($value); $args->{term} = "$table.who = $user_id"; + + # If the user is not part of the insiders group, they cannot see + # private comments + if (!$self->_user->is_insider) { + $args->{term} .= " AND $table.isprivate = 0"; + } } sub _long_desc_changedbefore_after { @@ -2412,7 +2419,7 @@ sub _long_desc_changedbefore_after { my ($chart_id, $operator, $value, $joins) = @$args{qw(chart_id operator value joins)}; my $dbh = Bugzilla->dbh; - + my $sql_operator = ($operator =~ /before/) ? '<=' : '>='; my $table = "longdescs_$chart_id"; my $sql_date = $dbh->quote(SqlifyDate($value)); diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index acfc5a50f..b9cbfcce0 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -631,6 +631,8 @@ sub create { $var =~ s/([\\\'\"\/])/\\$1/g; $var =~ s/\n/\\n/g; $var =~ s/\r/\\r/g; + $var =~ s/\x{2028}/\\u2028/g; # unicode line separator + $var =~ s/\x{2029}/\\u2029/g; # unicode paragraph separator $var =~ s/\@/\\x40/g; # anti-spam for email addresses $var =~ s//\\x3e/g; @@ -711,12 +713,16 @@ sub create { }, # In CSV, quotes are doubled, and any value containing a quote or a - # comma is enclosed in quotes. If a field starts with an equals - # sign, it is proceed by a space. + # comma is enclosed in quotes. + # If a field starts with either "=", "+", "-" or "@", it is preceded + # by a space to prevent stupid formula execution from Excel & co. csv => sub { my ($var) = @_; - $var = ' ' . $var if substr($var, 0, 1) eq '='; + $var = ' ' . $var if $var =~ /^[+=@-]/; + # backslash is not special to CSV, but it can be used to confuse some browsers... + # so we do not allow it to happen. We only do this for logged-in users. + $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id; $var =~ s/\"/\"\"/g; if ($var !~ /^-?(\d+\.)?\d*$/) { $var = "\"$var\""; diff --git a/Bugzilla/Update.pm b/Bugzilla/Update.pm index 29133ecce..71c0dd9cd 100644 --- a/Bugzilla/Update.pm +++ b/Bugzilla/Update.pm @@ -47,7 +47,8 @@ sub get_notifications { 'latest_ver' => $branch->{'att'}->{'vid'}, 'status' => $branch->{'att'}->{'status'}, 'url' => $branch->{'att'}->{'url'}, - 'date' => $branch->{'att'}->{'date'} + 'date' => $branch->{'att'}->{'date'}, + 'eos_date' => exists($branch->{'att'}->{'eos-date'}) ? $branch->{'att'}->{'eos-date'} : undef, }; push(@releases, $release); } @@ -66,6 +67,35 @@ sub get_notifications { } } elsif (Bugzilla->params->{'upgrade_notification'} eq 'latest_stable_release') { + # We want the latest stable version for the current branch. + # If we are running a development snapshot, we won't match anything. + my $branch_version = $current_version[0] . '.' . $current_version[1]; + + # We do a string comparison instead of a numerical one, because + # e.g. 2.2 == 2.20, but 2.2 ne 2.20 (and 2.2 is indeed much older). + @release = grep {$_->{'branch_ver'} eq $branch_version} @releases; + + # If the branch has an end-of-support date listed, we should + # strongly suggest to upgrade to the latest stable release + # available. + if (scalar(@release) && $release[0]->{'status'} ne 'closed' + && defined($release[0]->{'eos_date'})) { + my $eos_date = $release[0]->{'eos_date'}; + @release = grep {$_->{'status'} eq 'stable'} @releases; + return {'data' => $release[0], + 'branch_version' => $branch_version, + 'eos_date' => $eos_date}; + }; + + # If the branch is now closed, we should strongly suggest + # to upgrade to the latest stable release available. + if (scalar(@release) && $release[0]->{'status'} eq 'closed') { + @release = grep {$_->{'status'} eq 'stable'} @releases; + return {'data' => $release[0], 'deprecated' => $branch_version}; + } + + # If we get here, then we want to recommend the lastest stable + # release without any other messages. @release = grep {$_->{'status'} eq 'stable'} @releases; } elsif (Bugzilla->params->{'upgrade_notification'} eq 'stable_branch_release') { @@ -77,6 +107,18 @@ sub get_notifications { # e.g. 2.2 == 2.20, but 2.2 ne 2.20 (and 2.2 is indeed much older). @release = grep {$_->{'branch_ver'} eq $branch_version} @releases; + # If the branch has an end-of-support date listed, we should + # strongly suggest to upgrade to the latest stable release + # available. + if (scalar(@release) && $release[0]->{'status'} ne 'closed' + && defined($release[0]->{'eos_date'})) { + my $eos_date = $release[0]->{'eos_date'}; + @release = grep {$_->{'status'} eq 'stable'} @releases; + return {'data' => $release[0], + 'branch_version' => $branch_version, + 'eos_date' => $eos_date} + }; + # If the branch is now closed, we should strongly suggest # to upgrade to the latest stable release available. if (scalar(@release) && $release[0]->{'status'} eq 'closed') { diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index aa94e44a1..a6a47fc29 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -28,7 +28,6 @@ use Bugzilla::Group; use DateTime::TimeZone; use List::Util qw(max); use Scalar::Util qw(blessed); -use Storable qw(dclone); use URI; use URI::QueryParam; @@ -123,7 +122,7 @@ sub new { my $class = ref($invocant) || $invocant; my ($param) = @_; - my $user = DEFAULT_USER; + my $user = { %{ DEFAULT_USER() } }; bless ($user, $class); return $user unless $param; @@ -133,7 +132,19 @@ sub new { $_[0] = $param; } } - return $class->SUPER::new(@_); + + $user = $class->SUPER::new(@_); + + # MySQL considers some non-ascii characters such as umlauts to equal + # ascii characters returning a user when it should not. + if ($user && ref $param eq 'HASH' && exists $param->{name}) { + my $login = $param->{name}; + if (lc $login ne lc $user->login) { + $user = undef; + } + } + + return $user; } sub super_user { @@ -141,7 +152,7 @@ sub super_user { my $class = ref($invocant) || $invocant; my ($param) = @_; - my $user = dclone(DEFAULT_USER); + my $user = { %{ DEFAULT_USER() } }; $user->{groups} = [Bugzilla::Group->get_all]; $user->{bless_groups} = [Bugzilla::Group->get_all]; bless $user, $class; @@ -247,8 +258,9 @@ sub _check_is_enabled { # Mutators ################################################################################ -sub set_disable_mail { $_[0]->set('disable_mail', $_[1]); } -sub set_extern_id { $_[0]->set('extern_id', $_[1]); } +sub set_disable_mail { $_[0]->set('disable_mail', $_[1]); } +sub set_email_enabled { $_[0]->set('disable_mail', !$_[1]); } +sub set_extern_id { $_[0]->set('extern_id', $_[1]); } sub set_login { my ($self, $login) = @_; @@ -2601,6 +2613,10 @@ i.e. if the 'insidergroup' parameter is set and the user belongs to this group. Returns true if the user is a global watcher, i.e. if the 'globalwatchers' parameter contains the user. +=item C + +C - Sets C to the inverse of the boolean provided. + =back =head1 CLASS FUNCTIONS diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 4bd10e16c..527bae85a 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -681,12 +681,18 @@ sub validate_email_syntax { # RFC 2822 section 2.1 specifies that email addresses must # be made of US-ASCII characters only. # Email::Address::addr_spec doesn't enforce this. - my $ret = ($addr =~ /$match/ && $email !~ /\P{ASCII}/ && $email =~ /^$addr_spec$/); - if ($ret) { + # We set the max length to 127 to ensure addresses aren't truncated when + # inserted into the tokens.eventdata field. + if ($addr =~ /$match/ + && $email !~ /\P{ASCII}/ + && $email =~ /^$addr_spec$/ + && length($email) <= 127) + { # We assume these checks to suffice to consider the address untainted. trick_taint($_[0]); + return 1; } - return $ret ? 1 : 0; + return 0; } sub check_email_syntax { diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index 419e5aac6..006925994 100644 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -57,6 +57,8 @@ use constant PUBLIC_METHODS => qw( create fields get + get_bugs + get_history history legal_values possible_duplicates diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm index a6037e67e..f6d5fc5f9 100644 --- a/Bugzilla/WebService/Bugzilla.pm +++ b/Bugzilla/WebService/Bugzilla.pm @@ -154,7 +154,7 @@ sub last_audit_time { sub parameters { my ($self, $args) = @_; - my $user = Bugzilla->login(); + my $user = Bugzilla->login(LOGIN_OPTIONAL); my $params = Bugzilla->params; $args ||= {}; diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index 1c8d75bb4..e383cb515 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -28,6 +28,7 @@ use constant PUBLIC_METHODS => qw( get get_accessible_products get_enterable_products + get_products get_selectable_products update ); diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index aba5d310b..0a0afd400 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -381,7 +381,7 @@ sub _argument_type_check { # Only allowed methods to be used from our whitelist if (none { $_ eq $method} $pkg->PUBLIC_METHODS) { - ThrowUserError('unknown_method', { method => $self->bz_method_name }); + ThrowCodeError('unknown_method', { method => $self->_bz_method_name }); } # This is the best time to do login checks. diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index 5f9cb4515..266376aa0 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -96,6 +96,15 @@ use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST); use Bugzilla::WebService::Util qw(fix_credentials); use Scalar::Util qw(tainted); +sub new { + my $self = shift->SUPER::new(@_); + # Initialise XML::Parser to not expand references to entities, to prevent DoS + require XML::Parser; + my $parser = XML::Parser->new( NoExpand => 1, Handlers => { Default => sub {} } ); + $self->{_parser}->parser($parser, $parser); + return $self; +} + sub deserialize { my $self = shift; diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index 5a7f25036..469e5c5cd 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -45,14 +45,12 @@ use constant MAPPED_FIELDS => { email => 'login', full_name => 'name', login_denied_text => 'disabledtext', - email_enabled => 'disable_mail' }; use constant MAPPED_RETURNS => { login_name => 'email', realname => 'full_name', disabledtext => 'login_denied_text', - disable_mail => 'email_enabled' }; ############## diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000..14e2f777f --- /dev/null +++ b/LICENSE @@ -0,0 +1,373 @@ +Mozilla Public License Version 2.0 +================================== + +1. Definitions +-------------- + +1.1. "Contributor" + means each individual or legal entity that creates, contributes to + the creation of, or owns Covered Software. + +1.2. "Contributor Version" + means the combination of the Contributions of others (if any) used + by a Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + means Source Code Form to which the initial Contributor has attached + the notice in Exhibit A, the Executable Form of such Source Code + Form, and Modifications of such Source Code Form, in each case + including portions thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + (a) that the initial Contributor has attached the notice described + in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the + terms of a Secondary License. + +1.6. "Executable Form" + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + means a work that combines Covered Software with other material, in + a separate file or files, that is not Covered Software. + +1.8. "License" + means this document. + +1.9. "Licensable" + means having the right to grant, to the maximum extent possible, + whether at the time of the initial grant or subsequently, any and + all of the rights conveyed by this License. + +1.10. "Modifications" + means any of the following: + + (a) any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered + Software; or + + (b) any new file in Source Code Form that contains any Covered + Software. + +1.11. "Patent Claims" of a Contributor + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the + License, by the making, using, selling, offering for sale, having + made, import, or transfer of either its Contributions or its + Contributor Version. + +1.12. "Secondary License" + means either the GNU General Public License, Version 2.0, the GNU + Lesser General Public License, Version 2.1, the GNU Affero General + Public License, Version 3.0, or any later versions of those + licenses. + +1.13. "Source Code Form" + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants and Conditions +-------------------------------- + +2.1. Grants + +Each Contributor hereby grants You a world-wide, royalty-free, +non-exclusive license: + +(a) under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + +(b) under Patent Claims of such Contributor to make, use, sell, offer + for sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + +The licenses granted in Section 2.1 with respect to any Contribution +become effective for each Contribution on the date the Contributor first +distributes such Contribution. + +2.3. Limitations on Grant Scope + +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: + +(a) for any code that a Contributor has removed from Covered Software; + or + +(b) for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. + +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + +No Contributor makes additional grants as a result of Your choice to +distribute the Covered Software under a subsequent version of this +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). + +2.5. Representation + +Each Contributor represents that the Contributor believes its +Contributions are its original creation(s) or it has sufficient rights +to grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + +This License is not intended to limit any rights You have under +applicable copyright doctrines of fair use, fair dealing, or other +equivalents. + +2.7. Conditions + +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. + +3. Responsibilities +------------------- + +3.1. Distribution of Source Form + +All distribution of Covered Software in Source Code Form, including any +Modifications that You create or to which You contribute, must be under +the terms of this License. You must inform recipients that the Source +Code Form of the Covered Software is governed by the terms of this +License, and how they can obtain a copy of this License. You may not +attempt to alter or restrict the recipients' rights in the Source Code +Form. + +3.2. Distribution of Executable Form + +If You distribute Covered Software in Executable Form then: + +(a) such Covered Software must also be made available in Source Code + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and + +(b) You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter + the recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + +You may create and distribute a Larger Work under terms of Your choice, +provided that You also comply with the requirements of this License for +the Covered Software. If the Larger Work is a combination of Covered +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this +License permits You to additionally distribute such Covered Software +under the terms of such Secondary License(s), so that the recipient of +the Larger Work may, at their option, further distribute the Covered +Software under the terms of either this License or such Secondary +License(s). + +3.4. Notices + +You may not remove or alter the substance of any license notices +(including copyright notices, patent notices, disclaimers of warranty, +or limitations of liability) contained within the Source Code Form of +the Covered Software, except that You may alter any license notices to +the extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + +You may choose to offer, and to charge a fee for, warranty, support, +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +--------------------------------------------------- + +If it is impossible for You to comply with any of the terms of this +License with respect to some or all of the Covered Software due to +statute, judicial order, or regulation then You must: (a) comply with +the terms of this License to the maximum extent possible; and (b) +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. + +5. Termination +-------------- + +5.1. The rights granted under this License will terminate automatically +if You fail to comply with any of its terms. However, if You become +compliant, then the rights granted under this License from a particular +Contributor are reinstated (a) provisionally, unless and until such +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the +non-compliance by some reasonable means prior to 60 days after You have +come back into compliance. Moreover, Your grants from a particular +Contributor are reinstated on an ongoing basis if such Contributor +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, +counter-claims, and cross-claims) alleging that a Contributor Version +directly or indirectly infringes any patent, then the rights granted to +You by any and all Contributors for the Covered Software under Section +2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. + +************************************************************************ +* * +* 6. Disclaimer of Warranty * +* ------------------------- * +* * +* Covered Software is provided under this License on an "as is" * +* basis, without warranty of any kind, either expressed, implied, or * +* statutory, including, without limitation, warranties that the * +* Covered Software is free of defects, merchantable, fit for a * +* particular purpose or non-infringing. The entire risk as to the * +* quality and performance of the Covered Software is with You. * +* Should any Covered Software prove defective in any respect, You * +* (not any Contributor) assume the cost of any necessary servicing, * +* repair, or correction. This disclaimer of warranty constitutes an * +* essential part of this License. No use of any Covered Software is * +* authorized under this License except under this disclaimer. * +* * +************************************************************************ + +************************************************************************ +* * +* 7. Limitation of Liability * +* -------------------------- * +* * +* Under no circumstances and under no legal theory, whether tort * +* (including negligence), contract, or otherwise, shall any * +* Contributor, or anyone who distributes Covered Software as * +* permitted above, be liable to You for any direct, indirect, * +* special, incidental, or consequential damages of any character * +* including, without limitation, damages for lost profits, loss of * +* goodwill, work stoppage, computer failure or malfunction, or any * +* and all other commercial damages or losses, even if such party * +* shall have been informed of the possibility of such damages. This * +* limitation of liability shall not apply to liability for death or * +* personal injury resulting from such party's negligence to the * +* extent applicable law prohibits such limitation. Some * +* jurisdictions do not allow the exclusion or limitation of * +* incidental or consequential damages, so this exclusion and * +* limitation may not apply to You. * +* * +************************************************************************ + +8. Litigation +------------- + +Any litigation relating to this License may be brought only in the +courts of a jurisdiction where the defendant maintains its principal +place of business and such litigation shall be governed by laws of that +jurisdiction, without reference to its conflict-of-law provisions. +Nothing in this Section shall prevent a party's ability to bring +cross-claims or counter-claims. + +9. Miscellaneous +---------------- + +This License represents the complete agreement concerning the subject +matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent +necessary to make it enforceable. Any law or regulation which provides +that the language of a contract shall be construed against the drafter +shall not be used to construe this License against a Contributor. + +10. Versions of the License +--------------------------- + +10.1. New Versions + +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. + +10.2. Effect of New Versions + +You may distribute the Covered Software under the terms of the version +of the License under which You originally received the Covered Software, +or under the terms of any subsequent version published by the license +steward. + +10.3. Modified Versions + +If you create software not governed by this License, and you want to +create a new license for such software, you may create and use a +modified version of this License if you rename the license and remove +any references to the name of the license steward (except to note that +such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary +Licenses + +If You choose to distribute Source Code Form that is Incompatible With +Secondary Licenses under the terms of this version of the License, the +notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice +------------------------------------------- + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular +file, then You may include the notice in a location (such as a LICENSE +file in a relevant directory) where a recipient would be likely to look +for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice +--------------------------------------------------------- + + This Source Code Form is "Incompatible With Secondary Licenses", as + defined by the Mozilla Public License, v. 2.0. diff --git a/README b/README index 041aebc13..e68afd8e4 100644 --- a/README +++ b/README @@ -1,92 +1,54 @@ -What is Bugzilla? -================= -Bugzilla is a free bug-tracking system that is developed by an active -community of volunteers in the Mozilla community. You can install and -use it without having to pay any license fee. - -Minimum requirements -==================== -It can be installed on Windows, Mac OS X, Linux and other Unix flavors. -Bugzilla is written in Perl, meaning that Perl must be installed on your system. -You will also need a web server as well as a DB server (see below). - -Installation & Upgrading -======================== -The documentation to install, upgrade, configure and use Bugzilla can be found -in different formats: -* docs/en/html/Bugzilla-Guide.html (HTML version) -* docs/en/txt/Bugzilla-Guide.txt (text version) -* docs/en/pdf/Bugzilla-Guide.pdf (PDF version) - -If the documentation is missing, you can get it online by visiting -http://www.bugzilla.org/docs/ from where you can select the documentation -corresponding to the Bugzilla version you are installing. - -Bugzilla Quick Start Guide -========================== -(or, how to get Bugzilla up and running in 10 steps) -Christian Reis - -This express installation guide is for "normal" Bugzilla installations, -which means a Linux or Unix system on which Apache, Perl, MySQL or PostgreSQL -and a Sendmail compatible MTA are available. For other configurations, please -see the "Installing Bugzilla" section of the Bugzilla Guide in the docs/ directory. - -1. Decide from which URL and directory under your webserver root you - will be serving the Bugzilla webpages. - -2. Unpack the distribution into the chosen directory (there is no copying or - installation involved). - -3. Run ./checksetup.pl, look for unsolved requirements, and install them. - You can run checksetup as many times as necessary to check if - everything required has been installed. - - These will usually include assorted Perl modules, MySQL or PostgreSQL, - and a MTA. - - After a successful dependency check, checksetup should complain that - localconfig needs to be edited. - -4. Edit the localconfig file, in particular the $webservergroup and - $db_* variables. In particular, $db_name and $db_user will define - your database setup in step 5. - -5. Create a user permission for the name supplied as $db_user with - read/write access to the database whose name is given by $db_name. - - If you are not familiar with MySQL permissions, it's a good idea to - use the mysql_setpermission script that is installed with the MySQL - distribution, and be sure to read Bugzilla Security - MySQL section - in the Bugzilla Guide or PostgreSQL documentation. - -6. Run checksetup.pl once more; if all goes well, it should set up the - Bugzilla database for you. If not, return to step 5. - - checksetup.pl should ask you, this time, for the administrator's - email address and password. These will be used for the initial - Bugzilla administrator account. - -7. Configure Apache (or install and configure, if you don't have it up - yet) to point to the Bugzilla directory. You can choose between - mod_cgi and mod_perl. The Bugzilla documentation has detailed information - for both modes. - -8. Visit the URL you chose for Bugzilla. Your browser should display the - default Bugzilla home page. You should then log in as the - administrator by following the "Log in" link and supplying the - account information you provided in step 6. - -9. Visit the "Parameters" page, as suggested by the page displayed to you. - Set up the relevant parameters for your local setup. - -10. That's it. If anything unexpected comes up: - - - read the error message carefully, - - backtrack through the steps above, - - check the official installation guide. - -Support and installation questions should be directed to the -support-bugzilla@lists.mozilla.org mailing list. - -Further support information is at http://www.bugzilla.org/support/ +Bugzilla +======== + +Bugzilla is free and open source web-based bug-tracking software that is +developed by an active group of volunteers in the Mozilla community, and used +by thousands of projects and companies around the world. It can be installed on +Linux and other flavors of Unix, Windows or Mac OS X. + +You can try Bugzilla out using our testing installation: +https://landfill.bugzilla.org/bugzilla-tip/ + +Documentation +============= + +Bugzilla's comprehensive documentation, including installation instructions, +can be found here: +http://www.bugzilla.org/docs/ + +Reporting Bugs +============== + +Report bugs here: +https://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla + +(Please do not file test bugs in this installation of Bugzilla.) + +Mailing Lists +============= + +Development: +https://www.mozilla.org/en-US/about/forums/#dev-apps-bugzilla + +Support: +https://www.mozilla.org/en-US/about/forums/#support-bugzilla + +IRC +=== + +You can often find Bugzilla developers on IRC: +irc://irc.mozilla.org/bugzilla + +License +======= + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, You can obtain one at http://mozilla.org/MPL/2.0/. + +This Source Code Form is "Incompatible With Secondary Licenses", as +defined by the Mozilla Public License, v. 2.0. + +However, this is all only relevant to you if you want to modify the code and +redistribute it. As with all open source software, there are no restrictions +on running it, or on modifying it for your own purposes. diff --git a/attachment.cgi b/attachment.cgi index e003e1f12..cfcb8f5f9 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -31,6 +31,7 @@ use Bugzilla::Token; use Bugzilla::Keyword; use Encode qw(encode find_encoding); +use Encode::MIME::Header; # Required to alter Encode::Encoding{'MIME-Q'}. # For most scripts we don't make $cgi and $template global variables. But # when preparing Bugzilla for mod_perl, this script used these @@ -39,6 +40,7 @@ use Encode qw(encode find_encoding); local our $cgi = Bugzilla->cgi; local our $template = Bugzilla->template; local our $vars = {}; +local $Bugzilla::CGI::ALLOW_UNSAFE_RESPONSE = 1; ################################################################################ # Main Body Execution diff --git a/chart.cgi b/chart.cgi index 7f21fd098..6e995a4e0 100755 --- a/chart.cgi +++ b/chart.cgi @@ -94,6 +94,13 @@ $user->in_group(Bugzilla->params->{"chartgroup"}) # Only admins may create public queries $user->in_group('admin') || $cgi->delete('public'); +if ($cgi->param('debug') + && Bugzilla->params->{debug_group} + && Bugzilla->user->in_group(Bugzilla->params->{debug_group}) + ) { + $vars->{'debug'} = 1; +} + # All these actions relate to chart construction. if ($action =~ /^(assemble|add|remove|sum|subscribe|unsubscribe)$/) { # These two need to be done before the creation of the Chart object, so @@ -304,9 +311,12 @@ sub plot { my $format = $template->get_format("reports/chart", "", scalar($cgi->param('ctype'))); # Debugging PNGs is a pain; we need to be able to see the error messages - if ($cgi->param('debug')) { - print $cgi->header(); - $vars->{'chart'}->dump(); + if (exists $vars->{'debug'}) { + # Bug 1439260 - if we're using debug mode, always use the HTML template + # which has proper filters in it. Debug forces an HTML content type + # anyway, and can cause XSS if we're not filtering the output. + $format = $template->get_format("reports/chart", "", "html"); + $vars->{'debug_dump'} = $vars->{'chart'}->dump(); } print $cgi->header($format->{'ctype'}); @@ -348,7 +358,9 @@ sub view { # If we have having problems with bad data, we can set debug=1 to dump # the data structure. - $chart->dump() if $cgi->param('debug'); + if (exists $vars->{'debug'}) { + $vars->{'debug_dump'} = $chart->dump(); + } $template->process("reports/create-chart.html.tmpl", $vars) || ThrowTemplateError($template->error()); diff --git a/checksetup.pl b/checksetup.pl index bcc1ad8ea..ab7ea9f7a 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -15,12 +15,13 @@ use strict; use 5.008001; use File::Basename; +BEGIN { chdir dirname($0); } +use lib qw(. lib); + use Getopt::Long qw(:config bundling); use Pod::Usage; use Safe; -BEGIN { chdir dirname($0); } -use lib qw(. lib); use Bugzilla::Constants; use Bugzilla::Install::Requirements; use Bugzilla::Install::Util qw(install_string get_version_and_os diff --git a/importxml.pl b/importxml.pl index e7dc9761b..97c022f6a 100755 --- a/importxml.pl +++ b/importxml.pl @@ -1264,6 +1264,9 @@ my $twig = XML::Twig->new( }, start_tag_handlers => { bugzilla => \&init } ); +# Prevent DoS using the billion laughs attack. +$twig->{NoExpand} = 1; + $twig->parse($xml); my $root = $twig->root; my $maintainer = $root->{'att'}->{'maintainer'}; diff --git a/mod_perl.pl b/mod_perl.pl index ae15ae5fc..4794e285a 100644 --- a/mod_perl.pl +++ b/mod_perl.pl @@ -73,7 +73,7 @@ PerlChildInitHandler "sub { Bugzilla::RNG::srand(); srand(); }" PerlCleanupHandler Apache2::SizeLimit Bugzilla::ModPerl::CleanupHandler PerlOptions +ParseHeaders Options +ExecCGI - AllowOverride Limit FileInfo Indexes Options + AllowOverride All DirectoryIndex index.cgi index.html EOT diff --git a/relogin.cgi b/relogin.cgi index 337d1b208..b86463bb8 100755 --- a/relogin.cgi +++ b/relogin.cgi @@ -61,6 +61,9 @@ elsif ($action eq 'prepare-sudo') { -httponly => 1, %args); + # The user ID must not be set when generating the token, because + # that information will not be available when validating it. + local Bugzilla->user->{userid} = 0; $vars->{'login_request_token'} = issue_hash_token(['login_request', $value]); } diff --git a/report.cgi b/report.cgi index f4f015b92..4b1356163 100755 --- a/report.cgi +++ b/report.cgi @@ -311,7 +311,12 @@ my $format = $template->get_format("reports/report", $formatparam, # If we get a template or CGI error, it comes out as HTML, which isn't valid # PNG data, and the browser just displays a "corrupt PNG" message. So, you can # set debug=1 to always get an HTML content-type, and view the error. -$format->{'ctype'} = "text/html" if $cgi->param('debug'); +if (exists $vars->{'debug'}) { + # Bug 1439260 - if we're using debug mode, always use the HTML template + # which has proper filters in it. Debug forces an HTML content type + # anyway, and can cause XSS if we're not filtering the output. + $format = $template->get_format("reports/report", $formatparam, "html"); +} my @time = localtime(time()); my $date = sprintf "%04d-%02d-%02d", 1900+$time[5],$time[4]+1,$time[3]; @@ -321,12 +326,10 @@ print $cgi->header(-type => $format->{'ctype'}, # Problems with this CGI are often due to malformed data. Setting debug=1 # prints out both data structures. -if ($cgi->param('debug')) { +if (exists $vars->{'debug'}) { require Data::Dumper; - say "
data hash:";
-    say html_quote(Data::Dumper::Dumper(%data));
-    say "\ndata array:";
-    say html_quote(Data::Dumper::Dumper(@image_data)) . "\n\n
"; + $vars->{'debug_hash'} = Data::Dumper::Dumper(%data); + $vars->{'debug_array'} = Data::Dumper::Dumper(@image_data); } # All formats point to the same section of the documentation. diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index 4187bdd4e..4a451c104 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -52,13 +52,19 @@ sub CreateImagemap { $default = qq{\n}; } - if ($line =~ /^rectangle \((.*),(.*)\) \((.*),(.*)\) (http[^ ]*) (\d+)(\\n.*)?$/) { + if ($line =~ /^rectangle \((\d+),(\d+)\) \((\d+),(\d+)\) (http[^ ]*) (\d+)(?:\\n.*)?$/) { my ($leftx, $rightx, $topy, $bottomy, $url, $bugid) = ($1, $3, $2, $4, $5, $6); # Pick up bugid from the mapdata label field. Getting the title from # bugtitle hash instead of mapdata allows us to get the summary even # when showsummary is off, and also gives us status and resolution. - my $bugtitle = html_quote(clean_text($bugtitles{$bugid})); + # This text is safe; it has already been escaped. + my $bugtitle = $bugtitles{$bugid}; + + # The URL is supposed to be safe, because it's built manually. + # But in case someone manages to inject code, it's safer to escape it. + $url = html_quote($url); + $map .= qq{bug $bugid\n}; @@ -176,13 +182,16 @@ foreach my $k (@bug_ids) { # Retrieve bug information from the database my ($stat, $resolution, $summary) = $dbh->selectrow_array($sth, undef, $k); + $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id')); + # Resolution and summary are shown only if user can see the bug - if (!$user->can_see_bug($k)) { + if ($user->can_see_bug($k)) { + $summary = html_quote(clean_text($summary)); + } + else { $resolution = $summary = ''; } - $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id')); - my @params; if ($summary ne "" && $cgi->param('showsummary')) { diff --git a/t/002goodperl.t b/t/002goodperl.t index 2cbee8ef5..8bbe657b3 100644 --- a/t/002goodperl.t +++ b/t/002goodperl.t @@ -12,7 +12,7 @@ use strict; -use lib 't'; +use lib qw(. lib t); use Support::Files; diff --git a/t/003safesys.t b/t/003safesys.t index 0d6a215b1..46432662f 100644 --- a/t/003safesys.t +++ b/t/003safesys.t @@ -12,7 +12,7 @@ use strict; -use lib 't'; +use lib qw(. lib t); use Support::Files; @@ -38,7 +38,16 @@ my $perlapp = "\"$^X\""; foreach my $file (@testitems) { $file =~ s/\s.*$//; # nuke everything after the first space (#comment) next if (!$file); # skip null entries - my $command = "$perlapp -c -It -MSupport::Systemexec $file 2>&1"; + + open(my $fh2, '<', $file); + my $bang = <$fh2>; + close $fh2; + + my $T = ""; + if ($bang =~ m/#!\S*perl\s+-.*T/) { + $T = "T"; + } + my $command = "$perlapp -c$T -It -MSupport::Systemexec $file 2>&1"; my $loginfo=`$command`; if ($loginfo =~ /arguments for Support::Systemexec::(system|exec)/im) { ok(0,"$file DOES NOT use proper system or exec calls"); diff --git a/t/004template.t b/t/004template.t index 604559dc0..7e4973c35 100644 --- a/t/004template.t +++ b/t/004template.t @@ -11,7 +11,7 @@ use strict; -use lib 't'; +use lib qw(. lib t); use Support::Templates; diff --git a/t/005whitespace.t b/t/005whitespace.t index 624df69f6..124fbfe77 100644 --- a/t/005whitespace.t +++ b/t/005whitespace.t @@ -11,7 +11,7 @@ use strict; -use lib 't'; +use lib qw(. lib t); use Support::Files; use Support::Templates; diff --git a/t/006spellcheck.t b/t/006spellcheck.t index 07cd3ea8c..4382e4f9e 100644 --- a/t/006spellcheck.t +++ b/t/006spellcheck.t @@ -10,7 +10,7 @@ #Bugzilla Test 6# ####Spelling##### -use lib 't'; +use lib qw(. lib t); use Support::Files; BEGIN { # yes the indenting is off, deal with it diff --git a/t/007util.t b/t/007util.t index 495102ffa..f3c25f076 100644 --- a/t/007util.t +++ b/t/007util.t @@ -9,7 +9,7 @@ #Bugzilla Test 7# #####Util.pm##### -use lib 't'; +use lib qw(. lib t); use Support::Files; use Test::More tests => 17; use DateTime; diff --git a/t/009bugwords.t b/t/009bugwords.t index 66262655c..a31f5d65d 100644 --- a/t/009bugwords.t +++ b/t/009bugwords.t @@ -17,7 +17,7 @@ use strict; -use lib 't'; +use lib qw(. t lib); use Support::Files; use Support::Templates; diff --git a/t/010dependencies.t b/t/010dependencies.t index d84688a7e..a6402d3df 100644 --- a/t/010dependencies.t +++ b/t/010dependencies.t @@ -66,7 +66,7 @@ foreach my $module (keys %mods) { $used =~ s#/#::#g; $used =~ s#\.pm$##; $used =~ s#\$module#[^:]+#; - $used =~ s#\${[^}]+}#[^:]+#; + $used =~ s#\$\{[^}]+\}#[^:]+#; $used =~ s#[" ]##g; push(@use, grep(/^\Q$used\E$/, keys %mods)); } diff --git a/t/011pod.t b/t/011pod.t index c638dbcde..c3b20b650 100644 --- a/t/011pod.t +++ b/t/011pod.t @@ -12,7 +12,7 @@ use strict; -use lib 't'; +use lib qw(. lib t); use Support::Files; use Pod::Checker; diff --git a/taskgraph.json b/taskgraph.json new file mode 100644 index 000000000..23eafb9ce --- /dev/null +++ b/taskgraph.json @@ -0,0 +1,264 @@ +{ + "metadata": { + "name": "Bugzilla Task Graph", + "description": "A suite of tests to check the quality of the Bugzilla codebase.", + "owner": "dlawrence@mozilla.com", + "source": "https://raw.githubusercontent.com/bugzilla/bugzilla/4.4/taskgraph.json" + }, + "tasks": [ + { + "reruns": 3, + "maxRunTime": 3000, + "task": { + "expires": "2018-02-18T17:33:38.806Z", + "metadata": { + "name": "Basic Sanity Tests" + }, + "provisionerId": "aws-provisioner-v1", + "workerType": "b2gtest", + "payload": { + "image": "bugzilla/bugzilla-ci", + "command": ["runtests.sh"], + "env": { + "TEST_SUITE": "sanity" + }, + "artifacts": { + "public/runtests_log": { + "type": "file", + "path": "/tmp/runtests.log", + "expires": "2018-02-17T17:33:38.806Z" + } + } + }, + "extra": { + "treeherder": { + "symbol": "San", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } + } + } + } + }, + { + "reruns": 3, + "maxRunTime": 3000, + "task": { + "expires": "2018-02-18T17:33:38.806Z", + "metadata": { + "name": "Documentation Build Test" + }, + "provisionerId": "aws-provisioner-v1", + "workerType": "b2gtest", + "payload": { + "image": "bugzilla/bugzilla-ci", + "command": ["runtests.sh"], + "env": { + "TEST_SUITE": "docs" + }, + "artifacts": { + "public/runtests_log": { + "type": "file", + "path": "/tmp/runtests.log", + "expires": "2018-02-17T17:33:38.806Z" + } + } + }, + "extra": { + "treeherder": { + "symbol": "Doc", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } + } + } + } + }, + { + "reruns": 3, + "maxRunTime": 7200, + "task": { + "expires": "2018-02-18T17:33:38.806Z", + "metadata": { + "name": "WebService API Tests (MySQL)" + }, + "provisionerId": "aws-provisioner-v1", + "workerType": "b2gtest", + "payload": { + "image": "bugzilla/bugzilla-ci", + "command": ["runtests.sh"], + "env": { + "TEST_SUITE": "webservices" + }, + "artifacts": { + "public/runtests_log": { + "type": "file", + "path": "/tmp/runtests.log", + "expires": "2018-02-17T17:33:38.806Z" + }, + "public/httpd_error_log": { + "type": "file", + "path": "/var/log/httpd/error_log", + "expires": "2018-02-17T17:33:38.806Z" + } + } + }, + "extra": { + "treeherder": { + "symbol": "API", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } + } + } + } + }, + { + "reruns": 3, + "maxRunTime": 7200, + "task": { + "expires": "2018-02-18T17:33:38.806Z", + "metadata": { + "name": "Selenium Tests (MySQL)" + }, + "provisionerId": "aws-provisioner-v1", + "workerType": "b2gtest", + "payload": { + "image": "bugzilla/bugzilla-ci", + "command": ["runtests.sh"], + "env": { + "TEST_SUITE": "selenium" + }, + "artifacts": { + "public/runtests_log": { + "type": "file", + "path": "/tmp/runtests.log", + "expires": "2018-02-17T17:33:38.806Z" + }, + "public/httpd_error_log": { + "type": "file", + "path": "/var/log/httpd/error_log", + "expires": "2018-02-17T17:33:38.806Z" + }, + "public/selenium_log": { + "type": "file", + "path": "/tmp/selenium.log", + "expires": "2018-02-17T17:33:38.806Z" + } + } + }, + "extra": { + "treeherder": { + "symbol": "Sel", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } + } + } + } + }, + { + "reruns": 3, + "maxRunTime": 7200, + "task": { + "expires": "2018-02-18T17:33:38.806Z", + "metadata": { + "name": "WebService API Tests (Pg)" + }, + "provisionerId": "aws-provisioner-v1", + "workerType": "b2gtest", + "payload": { + "image": "bugzilla/bugzilla-ci", + "command": ["runtests.sh"], + "env": { + "BUGS_DB_DRIVER": "pg", + "TEST_SUITE": "webservices" + }, + "artifacts": { + "public/runtests_log": { + "type": "file", + "path": "/tmp/runtests.log", + "expires": "2018-02-17T17:33:38.806Z" + }, + "public/httpd_error_log": { + "type": "file", + "path": "/var/log/httpd/error_log", + "expires": "2018-02-17T17:33:38.806Z" + } + } + }, + "extra": { + "treeherder": { + "symbol": "API-Pg", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } + } + } + } + }, + { + "reruns": 3, + "maxRunTime": 7200, + "task": { + "expires": "2018-02-18T17:33:38.806Z", + "metadata": { + "name": "Selenium Tests (Pg)" + }, + "provisionerId": "aws-provisioner-v1", + "workerType": "b2gtest", + "payload": { + "image": "bugzilla/bugzilla-ci", + "command": ["runtests.sh"], + "env": { + "BUGS_DB_DRIVER": "pg", + "TEST_SUITE": "selenium" + }, + "artifacts": { + "public/runtests_log": { + "type": "file", + "path": "/tmp/runtests.log", + "expires": "2018-02-17T17:33:38.806Z" + }, + "public/httpd_error_log": { + "type": "file", + "path": "/var/log/httpd/error_log", + "expires": "2018-02-17T17:33:38.806Z" + }, + "public/selenium_log": { + "type": "file", + "path": "/tmp/selenium.log", + "expires": "2018-02-17T17:33:38.806Z" + } + } + }, + "extra": { + "treeherder": { + "symbol": "Sel-Pg", + "machine": { + "platform": "linux64" + }, + "build": { + "platform": "linux64" + } + } + } + } + } + ] +} diff --git a/template/en/default/global/tabs.html.tmpl b/template/en/default/global/tabs.html.tmpl index 454066889..dc9ca4c0a 100644 --- a/template/en/default/global/tabs.html.tmpl +++ b/template/en/default/global/tabs.html.tmpl @@ -25,7 +25,7 @@ [% tab.label FILTER html %] [% ELSE %] + onClick="document.location='[% tab.link FILTER js FILTER html %]'"> [% tab.label FILTER html %] [% END %] diff --git a/template/en/default/index.html.tmpl b/template/en/default/index.html.tmpl index b47b912c0..87cfa5921 100644 --- a/template/en/default/index.html.tmpl +++ b/template/en/default/index.html.tmpl @@ -58,6 +58,12 @@ YAHOO.util.Event.onDOMReady(onLoadActions); [% IF release %]
[% IF release.data %] + [% IF release.eos_date %] +

[% terms.Bugzilla %] [%+ release.branch_version FILTER html %] will + no longer receive security updates after [% release.eos_date FILTER html %]. + You are highly encouraged to upgrade in order to keep your + system secure.

+ [% END %] [% IF release.deprecated %]

[% terms.Bugzilla %] [%+ release.deprecated FILTER html %] is no longer supported. You are highly encouraged to upgrade in order to keep your diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index bafd9184a..bcec5a13e 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -45,6 +45,150 @@

Updates in this 4.4.x Release

+

4.4.14

+ +

This release fixes two security issues. See the + Security Advisory + for details.

+ +
+This will be the last release of the [% terms.Bugzilla %] 4.4 branch unless +further security issues are found before the EOL date passes. +[%+ terms.Bugzilla %] 4.4 will reach end of life 4 months after the release of +Version 4.4.14. Please take the opportunity to upgrade to version 5.2 or newer. +
+ +

This release also contains the following [% terms.bug %] fixes:

+ +
    +
  • The Email::MIME module changed the way it set content types on emails in + version 1.949, causing [% terms.Bugzilla %] to throw an error and preventing + emails from being correctly delivered to recipients. We now set the content + type correctly on emails. + ([% terms.Bug %] 1657496)
    • + +
  • Template Toolkit versions 2.28 through 3.007 are blacklisted due to a + compatibility issue. Versions 2.22 through 2.27 and 3.008 and later are + still supported. + ([% terms.Bug %] 1560873)
    • + +
  • [% terms.Bugzilla %] has a dependency on the Email::Address Perl module + which was unstated in the dependency list because it was also a dependency of + Email::Sender which [% terms.Bugzilla %] also uses. Newer versions of + Email::Sender stopped depending on Email::Address, so [% terms.Bugzilla %] + now needs to depend on it explicitly. + ([% terms.Bug %] 1851352)
    • + +
+ +

4.4.13

+ +

This release fixes one security issue. See the + Security Advisory + for details.

+ +

This release also contains the following [% terms.bug %] fix:

+ +
    +
  • All the time entries in the 'when' column had the correct date but the time + was fixed to 00:00 when using Sqlite. + ([% terms.Bug %] 1303702)
    • +
+ +

4.4.12

+ +

This release fixes one security issue. See the + Security Advisory + for details.

+ +

This release also contains the following [% terms.bug %] fixes:

+ +
    +
  • The Encode module changed the way it encodes strings, causing + email addresses in emails sent by [%terms.Bugzilla %] to be encoded, + preventing emails from being correctly delivered to recipients. + We now encode email headers correctly. + ([% terms.Bug %] 1246228)
    • +
  • When exporting a buglist as a CSV file, fields starting with either + "=", "+", "-" or "@" are preceded by a space to not trigger formula + execution in Excel. + ([% terms.Bug %] 1259881)
    • +
  • An extension which allows user-controlled data to be used as a link in + tabs could trigger XSS if the data is not correctly sanitized. + [%+ terms. Bugzilla %] no longer relies on the extension to do the sanity + check. A vanilla installation is not affected as no tab is user-controlled. + ([% terms.Bug %] 1250114)
    • +
+ +

4.4.11

+ +

This release fixes two security issues. See the + Security Advisory + for details.

+ +

This release also contains the following [% terms.bug %] fix:

+ +
    +
  • mod_perl now works correctly with mod_access_compat turned off on + Apache 2.4. The (incorrect) fix implemented in [% terms.Bugzilla %] 4.4.9 + has been backed out. To regenerate the .htaccess files, you + must first delete all existing ones in subdirectories: + 
    find . -mindepth 2 -name .htaccess -exec rm -f {} \;
    + You must then run checksetup.pl again to recreate them with + the correct syntax. + ([% terms.Bug %] 1223790)
    • +
+ +

4.4.10

+ +

This release fixes one security issue. See the + Security Advisory + for details.

+ +

This release also contains the following [% terms.bug %] fixes:

+ +
    +
  • The email_enabled attribute passed to the User.update + WebService method was incorrectly taken into account. Its logic was reversed. + ([% terms.Bug %] 1162334)
    • +
  • The DateTime::TimeZone::Local::Win32 Perl module is now required + on Windows to correctly determine the local timezone. + ([% terms.Bug %] 1124401)
    • +
  • [% terms.Bugzilla %] is now protected against the billion laughs attack + which could cause a denial of service when using the XML-RPC API. + ([% terms.Bug %] 1031035)
    • +
+ +

4.4.9

+ +

This release contains the following [% terms.bug %] fixes:

+ +
    +
  • Users who are not in the insidergroup were able to determine if some + specific user made a private comment in [% terms.bugs %]. + ([% terms.Bug %] 1151290)
    • +
  • Due to a regression caused by + [% terms.bug %] 1090275, the WebService methods B[%%]ug.get_bugs and + B[%%]ug.get_history were no longer allowed. + ([% terms.Bug %] 1154099)
    • +
  • [% terms.Bugzilla %] now supports the new .htaccess format from Apache 2.4. + ([% terms.Bug %] 1121477)
    • +
  • A regression in [% terms.Bugzilla %] 4.4.3 due to CVE-2014-1517 caused the admin's password + to be ignored when starting a sudo session. + ([% terms.Bug %] 1132887)
    • +
+ +

4.4.8

+ +

This release contains the following [% terms.bug %] fix:

+ + +

4.4.7

This release contains fixes for a couple of security issues. diff --git a/template/en/default/reports/chart.html.tmpl b/template/en/default/reports/chart.html.tmpl index ab334639c..1e908d956 100644 --- a/template/en/default/reports/chart.html.tmpl +++ b/template/en/default/reports/chart.html.tmpl @@ -20,6 +20,12 @@ header_addl_info = time %] +[% IF debug %] +

Bugzilla::Chart object:

+ 
+  [% debug_dump FILTER html %]
+
+[% END %]
[% imageurl = BLOCK %]chart.cgi? diff --git a/template/en/default/reports/create-chart.html.tmpl b/template/en/default/reports/create-chart.html.tmpl index 471a9cb55..543d8bd33 100644 --- a/template/en/default/reports/create-chart.html.tmpl +++ b/template/en/default/reports/create-chart.html.tmpl @@ -17,6 +17,13 @@ title = "Create Chart" %] +[% IF debug %] +

Bugzilla::Chart object:

+ 
+  [% debug_dump FILTER html %]
+
+[% END %] + [% PROCESS "reports/series-common.html.tmpl" donames = 1 %] diff --git a/template/en/default/reports/report.html.tmpl b/template/en/default/reports/report.html.tmpl index 2ca5dd90f..4825e0a66 100644 --- a/template/en/default/reports/report.html.tmpl +++ b/template/en/default/reports/report.html.tmpl @@ -61,6 +61,11 @@ %] [% IF debug %] +

Data hash:

+ 
[% debug_hash FILTER html %]
+

Data array:

+ 
[% debug_array FILTER html %]
+

Queries:

[% FOREACH query = queries %]

[% query.sql FILTER html %]

[% END %]