diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..f0e4ee1f4 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,12 @@ +#### Details + +This PR fixes/adds a feature... + +#### Additional info +* [bmo#](https://bugzilla.mozilla.org/show_bug.cgi?id=) + +#### Test Plan + +1. Open the show_bug view +2. Edit the bug +3. ... diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..c9198c50e --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,74 @@ +# This is a basic workflow to help you get started with Actions + +name: Release Tests + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the main branch +on: + push: + branches: [ 5.0.4 ] + pull_request: + branches: [ 5.0.4 ] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + ubuntu: + name: Release Tests on Ubuntu 20.04 + runs-on: ubuntu-20.04 + steps: + - name: Checkout the repository + uses: actions/checkout@v4 + - name: apt install + run: | + sudo apt-get update + sudo apt-get -y dist-upgrade + sudo apt-get install --ignore-hold --allow-downgrades -y \ + apache2 \ + mariadb-client-10.3 \ + netcat \ + libappconfig-perl \ + libdate-calc-perl \ + libtemplate-perl \ + build-essential \ + libdatetime-timezone-perl \ + libdatetime-perl \ + libemail-address-perl \ + libemail-sender-perl \ + libemail-mime-perl \ + libemail-mime-modifier-perl \ + libdbi-perl \ + libdbix-connector-perl \ + libdbd-mysql-perl \ + libcgi-pm-perl \ + libmath-random-isaac-perl \ + libmath-random-isaac-xs-perl \ + libapache2-mod-perl2 \ + libapache2-mod-perl2-dev \ + libchart-perl \ + libxml-perl \ + libxml-twig-perl \ + perlmagick \ + libgd-graph-perl \ + libtemplate-plugin-gd-perl \ + libsoap-lite-perl \ + libhtml-scrubber-perl \ + libjson-rpc-perl \ + libdaemon-generic-perl \ + libtheschwartz-perl \ + libtest-taint-perl \ + libauthen-radius-perl \ + libfile-slurp-perl \ + libencode-detect-perl \ + libmodule-build-perl \ + libnet-ldap-perl \ + libauthen-sasl-perl \ + libfile-mimeinfo-perl \ + libhtml-formattext-withlinks-perl \ + libpod-coverage-perl \ + graphviz + - name: Get Perl Version and debug info + run: '/usr/bin/perl -V' + - name: Run tests + run: '/usr/bin/perl runtests.pl' diff --git a/.readthedocs.yaml b/.readthedocs.yaml new file mode 100644 index 000000000..7eada0dd6 --- /dev/null +++ b/.readthedocs.yaml @@ -0,0 +1,12 @@ +version: 2 +build: + os: "ubuntu-20.04" + tools: + python: "3.10" + apt_packages: + - libfile-copy-recursive-perl + jobs: + post_build: + - perl docs/makedocs.pl --pod-only + - cp -rp docs/en/html/integrating/api/ "$READTHEDOCS_OUTPUT/html/integrating/api" + - cp -p docs/en/html/style.css "$READTHEDOCS_OUTPUT/html/" diff --git a/Bugzilla.pm b/Bugzilla.pm index e4772e08b..e8c078cf8 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -11,6 +11,8 @@ use 5.10.1; use strict; use warnings; +BEGIN { eval { utf8->import; require 'utf8_heavy.pl' }; } + # We want any compile errors to get to the browser, if possible. BEGIN { # This makes sure we're in a CGI. diff --git a/Bugzilla/BugMail.pm b/Bugzilla/BugMail.pm index 110a1ffaf..1aff405d8 100644 --- a/Bugzilla/BugMail.pm +++ b/Bugzilla/BugMail.pm @@ -21,6 +21,7 @@ use Bugzilla::Mailer; use Bugzilla::Hook; use Bugzilla::MIME; +use Encode qw(); use Date::Parse; use Date::Format; use Scalar::Util qw(blessed); @@ -451,6 +452,7 @@ sub _generate_bugmail { encoding => 'quoted-printable', }, body_str => $msg_text, + encode_check => Encode::FB_DEFAULT ) ); if ($user->setting('email_format') eq 'html') { @@ -463,13 +465,15 @@ sub _generate_bugmail { encoding => 'quoted-printable', }, body_str => $msg_html, + encode_check => Encode::FB_DEFAULT ); } my $email = Bugzilla::MIME->new($msg_header); - if (scalar(@parts) == 1) { - $email->content_type_set($parts[0]->content_type); - } else { + + # If there's only one part, we don't need to set the overall content type + # because Email::MIME will automatically take it from that part (bug 1657496) + if (scalar(@parts) > 1) { $email->content_type_set('multipart/alternative'); # Some mail clients need same encoding for each part, even empty ones. $email->charset_set('UTF-8') if $use_utf8; diff --git a/Bugzilla/Chart.pm b/Bugzilla/Chart.pm index 3c69006aa..faf7a4785 100644 --- a/Bugzilla/Chart.pm +++ b/Bugzilla/Chart.pm @@ -420,11 +420,9 @@ sub dump { # Make sure we've read in our data my $data = $self->data; - + require Data::Dumper; - say "
Bugzilla::Chart object:";
-    print html_quote(Data::Dumper::Dumper($self));
-    print "
"; + return Data::Dumper::Dumper($self); } 1; diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index b4d22f8bf..0e50f82fc 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -200,7 +200,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "5.0.4"; +use constant BUGZILLA_VERSION => "5.0.4.1"; # A base link to the current REST Documentation. We place it here # as it will need to be updated to whatever the current release is. @@ -508,16 +508,42 @@ use constant INSTALLATION_MODE_NON_INTERACTIVE => 1; use constant DB_MODULE => { # MySQL 5.0.15 was the first production 5.0.x release. 'mysql' => {db => 'Bugzilla::DB::Mysql', db_version => '5.0.15', - dbd => { + db_blocklist => ['^[89]\.'], + # the following is a "human-readable" version to show in the + # release notes + db_blklst_str => '>= 8.0', + dbd => { package => 'DBD-mysql', module => 'DBD::mysql', # Disallow development versions - blacklist => ['_'], + blocklist => ['_'], # For UTF-8 support. 4.001 makes sure that blobs aren't # marked as UTF-8. version => '4.001', }, name => 'MySQL'}, + + # MariaDB is a drop-in replacement for MySQL and works with Bugzilla + 'mariadb' => {db => 'Bugzilla::DB::Mysql', db_version => '5.1', + # MariaDB is indistinguishable from MySQL, but skipped 8 and + # 9 so blocklist it anyway in case someone has the driver set + # to mariadb but actually has MySQL. + db_blocklist => ['^[89]\.'], + # no string to show the user on the release notes though. + dbd => { + package => 'DBD-mysql', + module => 'DBD::mysql', + + # Disallow development versions + blocklist => ['_'], + + # For UTF-8 support. 4.001 makes sure that blobs aren't + # marked as UTF-8. + version => '4.001', + }, + name => 'MariaDB' + }, + # Also see Bugzilla::DB::Pg::bz_check_server_version, which has special # code to require DBD::Pg 2.17.2 for PostgreSQL 9 and above. 'pg' => {db => 'Bugzilla::DB::Pg', db_version => '8.03.0000', diff --git a/Bugzilla/DB.pm b/Bugzilla/DB.pm index 5bc83f9d6..f59a32feb 100644 --- a/Bugzilla/DB.pm +++ b/Bugzilla/DB.pm @@ -204,17 +204,33 @@ sub bz_check_server_version { $self->disconnect; my $sql_want = $db->{db_version}; + my $sql_dontwant = exists $db->{db_blocklist} ? $db->{db_blocklist} : []; my $version_ok = vers_cmp($sql_vers, $sql_want) > -1 ? 1 : 0; + my $blocklisted; + if ($version_ok) { + $blocklisted = grep($sql_vers =~ /$_/, @$sql_dontwant); + $version_ok = 0 if $blocklisted; + } my $sql_server = $db->{name}; if ($output) { Bugzilla::Install::Requirements::_checking_for({ package => $sql_server, wanted => $sql_want, - found => $sql_vers, ok => $version_ok }); + found => $sql_vers, ok => $version_ok, + blocklisted => $blocklisted }); } # Check what version of the database server is installed and let # the user know if the version is too old to be used with Bugzilla. + if ($blocklisted) { + die < [qw( # installed or not. "version" is the version we need, or 0 if we'll accept # any version. # -# "blacklist" is an arrayref of regular expressions that describe versions that -# are 'blacklisted'--that is, even if the version is high enough, Bugzilla +# "blocklist" is an arrayref of regular expressions that describe versions that +# are 'blocklisted'--that is, even if the version is high enough, Bugzilla # will refuse to say that it's OK to run with that version. sub REQUIRED_MODULES { my @modules = ( @@ -121,10 +121,12 @@ sub REQUIRED_MODULES { version => ($^V >= v5.13.3) ? '1.614' : '1.54' }, # 2.24 contains several useful text virtual methods. + # 2.28-3.007 are broken, see https://bugzilla.mozilla.org/show_bug.cgi?id=1560873 { package => 'Template-Toolkit', module => 'Template', - version => '2.24' + version => '2.24', + blacklist => ['^2.2[89]$', '^3.00[0-7]$'] }, # 1.300011 has a debug mode for SMTP and automatically pass -i to sendmail. { @@ -138,6 +140,11 @@ sub REQUIRED_MODULES { # This fixes a memory leak in walk_parts that affected jobqueue.pl. version => '1.904' }, + { + package => 'Email-Address', + module => 'Email::Address', + version => 0, + }, { package => 'URI', module => 'URI', @@ -286,7 +293,7 @@ sub OPTIONAL_MODULES { # throwing warnings with Perl 5.12. version => '0.712', # SOAP::Transport::HTTP 1.12 is bogus. - blacklist => ['^1\.12$'], + blocklist => ['^1\.12$'], feature => ['xmlrpc'], }, # Since SOAP::Lite 1.0, XMLRPC::Lite is no longer included @@ -729,16 +736,16 @@ sub have_vers { # Must do a string comparison as $vnum may be of the form 5.10.1. my $vok = ($vnum ne '-1' && version->new($vnum) >= version->new($wanted)) ? 1 : 0; - my $blacklisted; - if ($vok && $params->{blacklist}) { - $blacklisted = grep($vnum =~ /$_/, @{$params->{blacklist}}); - $vok = 0 if $blacklisted; + my $blocklisted; + if ($vok && $params->{blocklist}) { + $blocklisted = grep($vnum =~ /$_/, @{$params->{blocklist}}); + $vok = 0 if $blocklisted; } if ($output) { _checking_for({ package => $package, ok => $vok, wanted => $wanted, - found => $vnum, blacklisted => $blacklisted + found => $vnum, blocklisted => $blocklisted }); } @@ -747,8 +754,8 @@ sub have_vers { sub _checking_for { my ($params) = @_; - my ($package, $ok, $wanted, $blacklisted, $found) = - @$params{qw(package ok wanted blacklisted found)}; + my ($package, $ok, $wanted, $blocklisted, $found) = + @$params{qw(package ok wanted blocklisted found)}; my $ok_string = $ok ? install_string('module_ok') : ''; @@ -775,10 +782,10 @@ sub _checking_for { $ok_string = install_string('module_not_found'); } - my $black_string = $blacklisted ? install_string('blacklisted') : ''; + my $block_string = $blocklisted ? install_string('blocklisted') : ''; my $want_string = $wanted ? "v$wanted" : install_string('any'); - my $str = sprintf "%s %20s %-11s $ok_string $black_string\n", + my $str = sprintf "%s %20s %-11s $ok_string $block_string\n", install_string('checking_for'), $package, "($want_string)"; print $ok ? $str : colored($str, COLOR_ERROR); } diff --git a/Bugzilla/MIME.pm b/Bugzilla/MIME.pm index 8c6c141bb..d6046198f 100644 --- a/Bugzilla/MIME.pm +++ b/Bugzilla/MIME.pm @@ -14,7 +14,7 @@ use warnings; use parent qw(Email::MIME); sub new { - my ($class, $msg) = @_; + my ($class, $msg, $args) = @_; state $use_utf8 = Bugzilla->params->{'utf8'}; # Template-Toolkit trims trailing newlines, which is problematic when @@ -54,7 +54,7 @@ sub new { # you're running on. See http://perldoc.perl.org/perlport.html#Newlines $msg =~ s/(?:\015+)?\012/\015\012/msg; - return $class->SUPER::new($msg); + return $class->SUPER::new($msg, $args); } sub as_string { @@ -113,7 +113,7 @@ workarounds. =head1 SYNOPSIS use Bugzilla::MIME; - my $email = Bugzilla::MIME->new($message); + my $email = Bugzilla::MIME->new($message, $args); =head1 DESCRIPTION diff --git a/Bugzilla/Mailer.pm b/Bugzilla/Mailer.pm index 5ccf2d1ed..d7c23f857 100644 --- a/Bugzilla/Mailer.pm +++ b/Bugzilla/Mailer.pm @@ -21,6 +21,7 @@ use Bugzilla::MIME; use Bugzilla::Util; use Bugzilla::User; +use Encode qw(); use Date::Format qw(time2str); use Email::Sender::Simple qw(sendmail); @@ -61,6 +62,7 @@ sub generate_email { encoding => 'quoted-printable', }, body_str => $msg_text, + encode_check => Encode::FB_DEFAULT ) ); if ($templates->{html} && $email_format eq 'html') { @@ -73,6 +75,7 @@ sub generate_email { encoding => 'quoted-printable', }, body_str => $msg_html, + encode_check => Encode::FB_DEFAULT ); } diff --git a/Bugzilla/Update.pm b/Bugzilla/Update.pm index 72a7108a8..1c092ebe4 100644 --- a/Bugzilla/Update.pm +++ b/Bugzilla/Update.pm @@ -49,14 +49,15 @@ sub get_notifications { 'latest_ver' => $branch->{'att'}->{'vid'}, 'status' => $branch->{'att'}->{'status'}, 'url' => $branch->{'att'}->{'url'}, - 'date' => $branch->{'att'}->{'date'} + 'date' => $branch->{'att'}->{'date'}, + 'eos_date' => exists($branch->{'att'}->{'eos-date'}) ? $branch->{'att'}->{'eos-date'} : undef, }; push(@releases, $release); } # On which branch is the current installation running? my @current_version = - (BUGZILLA_VERSION =~ m/^(\d+)\.(\d+)(?:(rc|\.)(\d+))?\+?$/); + (BUGZILLA_VERSION =~ m/^(\d+)\.(\d+)(?:\.(\d+))?(?:(rc|\.)(\d+))?\+?$/); my @release; if (Bugzilla->params->{'upgrade_notification'} eq 'development_snapshot') { @@ -68,17 +69,60 @@ sub get_notifications { } } elsif (Bugzilla->params->{'upgrade_notification'} eq 'latest_stable_release') { + # We want the latest stable version for the current branch. + # If we are running a development snapshot, we won't match anything. + # This is the 5.0.4 branch and it won't branch again so just hardcode this. + my $branch_version = '5.0.4'; + + # We do a string comparison instead of a numerical one, because + # e.g. 2.2 == 2.20, but 2.2 ne 2.20 (and 2.2 is indeed much older). + @release = grep {$_->{'branch_ver'} eq $branch_version} @releases; + + # If the branch has an end-of-support date listed, we should + # strongly suggest to upgrade to the latest stable release + # available. + if (scalar(@release) && $release[0]->{'status'} ne 'closed' + && defined($release[0]->{'eos_date'})) { + my $eos_date = $release[0]->{'eos_date'}; + @release = grep {$_->{'status'} eq 'stable'} @releases; + return {'data' => $release[0], + 'branch_version' => $branch_version, + 'eos_date' => $eos_date}; + }; + + # If the branch is now closed, we should strongly suggest + # to upgrade to the latest stable release available. + if (scalar(@release) && $release[0]->{'status'} eq 'closed') { + @release = grep {$_->{'status'} eq 'stable'} @releases; + return {'data' => $release[0], 'deprecated' => $branch_version}; + } + + # If we get here, then we want to recommend the lastest stable + # release without any other messages. @release = grep {$_->{'status'} eq 'stable'} @releases; } elsif (Bugzilla->params->{'upgrade_notification'} eq 'stable_branch_release') { # We want the latest stable version for the current branch. # If we are running a development snapshot, we won't match anything. - my $branch_version = $current_version[0] . '.' . $current_version[1]; + # This is the 5.0.4 branch and it won't branch again so just hardcode this. + my $branch_version = '5.0.4'; # We do a string comparison instead of a numerical one, because # e.g. 2.2 == 2.20, but 2.2 ne 2.20 (and 2.2 is indeed much older). @release = grep {$_->{'branch_ver'} eq $branch_version} @releases; + # If the branch has an end-of-support date listed, we should + # strongly suggest to upgrade to the latest stable release + # available. + if (scalar(@release) && $release[0]->{'status'} ne 'closed' + && defined($release[0]->{'eos_date'})) { + my $eos_date = $release[0]->{'eos_date'}; + @release = grep {$_->{'status'} eq 'stable'} @releases; + return {'data' => $release[0], + 'branch_version' => $branch_version, + 'eos_date' => $eos_date}; + }; + # If the branch is now closed, we should strongly suggest # to upgrade to the latest stable release available. if (scalar(@release) && $release[0]->{'status'} eq 'closed') { @@ -97,12 +141,12 @@ sub get_notifications { # Only notify the administrator if the latest version available # is newer than the current one. my @new_version = - ($release[0]->{'latest_ver'} =~ m/^(\d+)\.(\d+)(?:(rc|\.)(\d+))?\+?$/); + ($release[0]->{'latest_ver'} =~ m/^(\d+)\.(\d+)(?:\.(\d+))?(?:(rc|\.)(\d+))?\+?$/); # We convert release candidates 'rc' to integers (rc ? 0 : 1) in order # to compare versions easily. - $current_version[2] = ($current_version[2] && $current_version[2] eq 'rc') ? 0 : 1; - $new_version[2] = ($new_version[2] && $new_version[2] eq 'rc') ? 0 : 1; + @current_version = map { s/^(?:rc|)$/0/; s/^\.$/1/; $_; } @current_version; + @new_version = map { s/^(?:rc|)$/0/; s/^\.$/1/; $_; } @new_version; my $is_newer = _compare_versions(\@current_version, \@new_version); return ($is_newer == 1) ? {'data' => $release[0]} : undef; diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 77e6cebb0..e8f4aa77f 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -132,7 +132,19 @@ sub new { $_[0] = $param; } } - return $class->SUPER::new(@_); + + $user = $class->SUPER::new(@_); + + # MySQL considers some non-ascii characters such as umlauts to equal + # ascii characters returning a user when it should not. + if ($user && ref $param eq 'HASH' && exists $param->{name}) { + my $login = $param->{name}; + if (lc $login ne lc $user->login) { + $user = undef; + } + } + + return $user; } sub super_user { diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 57ce5f6b6..5ceef4ef7 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -1263,18 +1263,44 @@ if Bugzilla is currently using the shadowdb or not. Used like: =back -=head1 B - =over -=item do_ssl_redirect_if_required +=item C + +Writes $content to $filename. The content will be encoded as UTF-8. Returns 1 if +the atomic write was successful, 0 otherwise. C<$!> will be set to the error +from C. + +=item C + +Reads the contents of $filename and returns it as a string. The string will be +decoded as UTF-8. + +=item C + +Returns true if the given IP address is an IPv4 address. + +=item C + +Returns true if the given IP address is an IPv6 address. + +=item C + +If Bugzilla is configured to redirect all HTTP requests to HTTPS, this function +will redirect the user to the HTTPS version of the current page. It will not do +anything if the user is already on HTTPS, or if there is no C parameter +set. -=item validate_time +=item C -=item is_ipv4 +Validates a time string. Returns true or false depending on whether the time +string is valid. -=item is_ipv6 +=item C -=item display_value +Returns the display value for a given field and value. This value comes from the +value_descs template variable. The value_descs variable is set in the template +file C. This is used for localizing Bugzilla to +other languages. =back diff --git a/Build.PL b/Build.PL index 024a56024..0a7c1059a 100644 --- a/Build.PL +++ b/Build.PL @@ -33,10 +33,10 @@ sub build_requires { sub recommends { my $recommends = OPTIONAL_MODULES(); - my @blacklist = ('Apache-SizeLimit', 'mod_perl'); # Does not compile properly on Travis + my @blocklist = ('Apache-SizeLimit', 'mod_perl'); # Does not compile properly on Travis my $hrecommends = {}; foreach my $module (@$recommends) { - next if grep($_ eq $module->{package}, @blacklist); + next if grep($_ eq $module->{package}, @blocklist); $hrecommends->{$module->{module}} = $module->{version}; } return $hrecommends; diff --git a/README b/README index e68afd8e4..335631e5d 100644 --- a/README +++ b/README @@ -6,9 +6,6 @@ developed by an active group of volunteers in the Mozilla community, and used by thousands of projects and companies around the world. It can be installed on Linux and other flavors of Unix, Windows or Mac OS X. -You can try Bugzilla out using our testing installation: -https://landfill.bugzilla.org/bugzilla-tip/ - Documentation ============= diff --git a/chart.cgi b/chart.cgi index c1bafa117..18ab87e5e 100755 --- a/chart.cgi +++ b/chart.cgi @@ -96,6 +96,13 @@ $user->in_group(Bugzilla->params->{"chartgroup"}) # Only admins may create public queries $user->in_group('admin') || $cgi->delete('public'); +if ($cgi->param('debug') + && Bugzilla->params->{debug_group} + && Bugzilla->user->in_group(Bugzilla->params->{debug_group}) + ) { + $vars->{'debug'} = 1; +} + # All these actions relate to chart construction. if ($action =~ /^(assemble|add|remove|sum|subscribe|unsubscribe)$/) { # These two need to be done before the creation of the Chart object, so @@ -312,7 +319,16 @@ sub plot { disable_utf8() if ($format->{'ctype'} =~ /^image\//); # Debugging PNGs is a pain; we need to be able to see the error messages - $vars->{'chart'}->dump() if $cgi->param('debug'); + if (exists $vars->{'debug'}) { + # Bug 1439260 - if we're using debug mode, always use the HTML template + # which has proper filters in it. Debug forces an HTML content type + # anyway, and can cause XSS if we're not filtering the output. + $format = $template->get_format("reports/chart", "", "html"); + $vars->{'debug_dump'} = $vars->{'chart'}->dump(); + } + + print $cgi->header($format->{'ctype'}); + disable_utf8() if ($format->{'ctype'} =~ /^image\//); $template->process($format->{'template'}, $vars) || ThrowTemplateError($template->error()); @@ -350,7 +366,9 @@ sub view { # If we have having problems with bad data, we can set debug=1 to dump # the data structure. - $chart->dump() if $cgi->param('debug'); + if (exists $vars->{'debug'}) { + $vars->{'debug_dump'} = $chart->dump(); + } $template->process("reports/create-chart.html.tmpl", $vars) || ThrowTemplateError($template->error()); diff --git a/contrib/bugzilla-submit/README b/contrib/bugzilla-submit/README index f9e74b9d4..9d9811bde 100644 --- a/contrib/bugzilla-submit/README +++ b/contrib/bugzilla-submit/README @@ -19,9 +19,8 @@ Its only requirement is Python 2.3 or higher; you should have the Usage Notes ----------- -* Please constrain testing to your own installation of Bugzilla, or use -* http://landfill.bugzilla.org/ for testing purposes -- opening test -* bugs on production instances of Bugzilla is definitely not a good idea +* Please constrain testing to your own installation of Bugzilla, opening test +* bugs on production instances of Bugzilla is definitely not a good idea. Run "bugzilla-submit --help" for a description of the possible options. diff --git a/contrib/bugzilla-submit/bugzilla-submit.xml b/contrib/bugzilla-submit/bugzilla-submit.xml index 2cfdc9209..297e690cc 100755 --- a/contrib/bugzilla-submit/bugzilla-submit.xml +++ b/contrib/bugzilla-submit/bugzilla-submit.xml @@ -201,12 +201,12 @@ password field is the right password. The URL in the machine field must be enclosed in double quotes. For example, if your Bugzilla instance is at -"http://landfill.bugzilla.org/bztest/", and your login and password +"https://bugzilla.example.org/bztest/", and your login and password there are "john@doe.com" and "foo", respectively, your .netrc entry should look something like: - machine "http://landfill.bugzilla.org/bztest/" + machine "https://bugzilla.example.org/bztest/" login john@doe.com password foo diff --git a/contrib/jb2bz.py b/contrib/jb2bz.py index caaa0c5e2..170e82d70 100755 --- a/contrib/jb2bz.py +++ b/contrib/jb2bz.py @@ -30,7 +30,7 @@ if not mimetypes.encodings_map.has_key('.bz2'): bug_status='CONFIRMED' component="default" -version="" +version="unspecified" product="" # this is required, the rest of these are defaulted as above """ @@ -230,6 +230,7 @@ def process_jitterbug(filename): "bug_id=%s," \ "priority='---'," \ "bug_severity='normal'," \ + "op_sys='All'," \ "bug_status=%s," \ "creation_ts=%s," \ "delta_ts=%s," \ diff --git a/report.cgi b/report.cgi index 2a8317d7a..d5f471ef0 100755 --- a/report.cgi +++ b/report.cgi @@ -359,19 +359,22 @@ my $format = $template->get_format("reports/report", $formatparam, # If we get a template or CGI error, it comes out as HTML, which isn't valid # PNG data, and the browser just displays a "corrupt PNG" message. So, you can # set debug=1 to always get an HTML content-type, and view the error. -$format->{'ctype'} = "text/html" if $cgi->param('debug'); +if (exists $vars->{'debug'}) { + # Bug 1439260 - if we're using debug mode, always use the HTML template + # which has proper filters in it. Debug forces an HTML content type + # anyway, and can cause XSS if we're not filtering the output. + $format = $template->get_format("reports/report", $formatparam, "html"); +} $cgi->set_dated_content_disp("inline", "report", $format->{extension}); print $cgi->header($format->{'ctype'}); # Problems with this CGI are often due to malformed data. Setting debug=1 # prints out both data structures. -if ($cgi->param('debug')) { +if (exists $vars->{'debug'}) { require Data::Dumper; - say "
data hash:";
-    say html_quote(Data::Dumper::Dumper(%data));
-    say "\ndata array:";
-    say html_quote(Data::Dumper::Dumper(@image_data)) . "\n\n
"; + $vars->{'debug_hash'} = Data::Dumper::Dumper(%data); + $vars->{'debug_array'} = Data::Dumper::Dumper(@image_data); } # All formats point to the same section of the documentation. diff --git a/t/002goodperl.t b/t/002goodperl.t index d1858361f..8fcd1a343 100644 --- a/t/002goodperl.t +++ b/t/002goodperl.t @@ -14,7 +14,7 @@ use 5.10.1; use strict; use warnings; -use lib 't'; +use lib qw(. lib t); use Support::Files; diff --git a/t/003safesys.t b/t/003safesys.t index 443f96415..e1d04bed8 100644 --- a/t/003safesys.t +++ b/t/003safesys.t @@ -14,7 +14,7 @@ use 5.10.1; use strict; use warnings; -use lib 't'; +use lib qw(. lib t); use Support::Files; diff --git a/t/004template.t b/t/004template.t index 0a6f0e0aa..f336441ac 100644 --- a/t/004template.t +++ b/t/004template.t @@ -13,7 +13,7 @@ use 5.10.1; use strict; use warnings; -use lib 't'; +use lib qw(. lib t); use Support::Templates; @@ -114,10 +114,10 @@ foreach my $include_path (@include_paths) { # Forbid single quotes to delimit URLs, see bug 926085. if ($data =~ /href=\\?'/) { - ok(0, "$path contains blacklisted constructs: href='...'"); + ok(0, "$path contains blocklisted constructs: href='...'"); } else { - ok(1, "$path contains no blacklisted constructs"); + ok(1, "$path contains no blocklisted constructs"); } } } diff --git a/t/005whitespace.t b/t/005whitespace.t index b6de8cee3..b7f10cae2 100644 --- a/t/005whitespace.t +++ b/t/005whitespace.t @@ -13,7 +13,7 @@ use 5.10.1; use strict; use warnings; -use lib 't'; +use lib qw(. lib t); use Support::Files; use Support::Templates; diff --git a/t/006spellcheck.t b/t/006spellcheck.t index 24e00242d..ea298c5f6 100644 --- a/t/006spellcheck.t +++ b/t/006spellcheck.t @@ -14,7 +14,7 @@ use 5.10.1; use strict; use warnings; -use lib 't'; +use lib qw(. lib t); use Support::Files; # -1 because 006spellcheck.t must not be checked. diff --git a/t/007util.t b/t/007util.t index 66c2df032..6f5ea8b72 100644 --- a/t/007util.t +++ b/t/007util.t @@ -13,7 +13,7 @@ use 5.10.1; use strict; use warnings; -use lib 't'; +use lib qw(. lib t); use Support::Files; use Test::More tests => 17; use DateTime; diff --git a/t/009bugwords.t b/t/009bugwords.t index e36651edb..5b0bf1f94 100644 --- a/t/009bugwords.t +++ b/t/009bugwords.t @@ -19,7 +19,7 @@ use 5.10.1; use strict; use warnings; -use lib 't'; +use lib qw(. t lib); use Support::Files; use Support::Templates; diff --git a/t/010dependencies.t b/t/010dependencies.t index afd29a652..e0e990172 100644 --- a/t/010dependencies.t +++ b/t/010dependencies.t @@ -69,7 +69,7 @@ foreach my $module (keys %mods) { $used =~ s#/#::#g; $used =~ s#\.pm$##; $used =~ s#\$module#[^:]+#; - $used =~ s#\${[^}]+}#[^:]+#; + $used =~ s#\$\{[^}]+\}#[^:]+#; $used =~ s#[" ]##g; push(@use, grep(/^\Q$used\E$/, keys %mods)); } diff --git a/t/011pod.t b/t/011pod.t index 8a7f374ce..fd37faa7c 100644 --- a/t/011pod.t +++ b/t/011pod.t @@ -14,7 +14,7 @@ use 5.10.1; use strict; use warnings; -use lib 't'; +use lib qw(. lib t); use Support::Files; use Pod::Checker; diff --git a/template/en/default/config.js.tmpl b/template/en/default/config.js.tmpl index 0399f8b28..0e924d801 100644 --- a/template/en/default/config.js.tmpl +++ b/template/en/default/config.js.tmpl @@ -64,7 +64,7 @@ var [% cf.name FILTER js %] = [ [% FOREACH x = cf.legal_values %]'[% x.name FILT // ======================= // // It is not necessary to list all products and components here. -// Instead, you can define a "blacklist" for some commonly used words +// Instead, you can define a "blocklist" for some commonly used words // or word fragments that occur in a product or component name // but should _not_ trigger product/component search. @@ -84,7 +84,7 @@ var target_milestone = new Object(); // Product and Component Exceptions // ================================ // -// A blacklist for some commonly used words or word fragments +// A blocklist for some commonly used words or word fragments // that occur in a product or component name but should *not* // trigger product/component search in QuickSearch. diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index bd40fff88..0d6849ddb 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -89,6 +89,8 @@ [% END %] + + [% SET yui = yui_resolve_deps(yui, yui_deps) %] [% SET css_sets = css_files(style_urls, yui, yui_css) %] diff --git a/template/en/default/index.html.tmpl b/template/en/default/index.html.tmpl index 84a5b7d5c..d0ccc61e7 100644 --- a/template/en/default/index.html.tmpl +++ b/template/en/default/index.html.tmpl @@ -19,6 +19,12 @@ [% IF release %]
[% IF release.data %] + [% IF release.eos_date %] +

[% terms.Bugzilla %] [%+ release.branch_version FILTER html %] will + no longer receive security updates after [% release.eos_date FILTER html %]. + You are highly encouraged to upgrade in order to keep your + system secure.

+ [% END %] [% IF release.deprecated %]

Bugzilla [%+ release.deprecated FILTER html %] is no longer supported. You are highly encouraged to upgrade in order to keep your diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl index 368cd9c08..d34a454e0 100644 --- a/template/en/default/list/list.html.tmpl +++ b/template/en/default/list/list.html.tmpl @@ -250,7 +250,7 @@ [% IF bugowners && user.id %] [% END %] diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index b89e3a61d..0304c4ad3 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -29,8 +29,8 @@

Introduction

-

Welcome to Bugzilla 5.0! It has been slightly over two years since we released - Bugzilla 4.4 in May of 2013. This new major release comes with many new features +

Welcome to [% terms.Bugzilla %] 5.0! It has been slightly over two years since we released + [%+ terms.Bugzilla %] 4.4 in May of 2013. This new major release comes with many new features and improvements to WebServices and performance.

If you're upgrading, make sure to read @@ -43,6 +43,66 @@

Updates in this 5.0.x Release

+

5.0.4.1

+ +

This release fixes three security issues. See the + Security Advisory + for details.

+ +

This release is intended to follow the stable 5.0 branch of +[%+ terms.Bugzilla %]. Version 5.0.5 contained invasive fixes which should not +have been on a stable branch, so we branched again from 5.0.4 to continue to +provide security updates without the invasive changes. This release track of +[%+ terms.Bugzilla %] now lives on the 5.0.4 branch in Git.

+ +

This release also contains the following [% terms.bug %] fixes:

+ +
    + +
  • MySQL 8.0 introduced non-backward-compatible changes which broke + Bugzilla. This version now properly detects and prevents you from running it + on MySQL 8 or newer. Future versions of [% terms.Bugzilla %] will support + MySQL 8, but the changes are too invasive for a branch that only gets + security support. If you can't stay on MySQL 5.7.x or older, we recommend + using MariaDB or version 5.2 or newer of [% terms.Bugzilla %]. + ([% terms.Bug %] 1851354)
    • + +
  • The "Email Assignees" link on the [% terms.Bug %] List page was fixed to + properly handle email addresses that contain apostrophes. + ([% terms.Bug %] 1226123)
    • + +
  • Metadata to assist browsers in properly rendering [% terms.Bugzilla %] on + mobile browsers was added. Without this metadata Google Search tools would + report [% terms.Bugzilla %] pages as not suitable for mobile devices. + [%+ terms.Bugzilla %] still needs work to actually look nice on mobile devices + but this is a good start. + (PR #78)
    • + +
  • The Email::MIME module changed the way it set content types on emails in + version 1.949, causing [% terms.Bugzilla %] to throw an error and preventing + emails from being correctly delivered to recipients. We now set the content + type correctly on emails. + ([% terms.Bug %] 1657496)
    • + +
  • Template Toolkit versions 2.28 through 3.007 are blacklisted due to a + compatibility issue. Versions 2.22 through 2.27 and 3.008 and later are + still supported. + ([% terms.Bug %] 1560873)
    • + +
  • [% terms.Bugzilla %] has a dependency on the Email::Address Perl module + which was unstated in the dependency list because it was also a dependency of + Email::Sender which [% terms.Bugzilla %] also uses. Newer versions of + Email::Sender stopped depending on Email::Address, so [% terms.Bugzilla %] + now needs to depend on it explicitly. + ([% terms.Bug %] 1851352)
    • + +
  • The contrib script jb2bz.py for importing from Jitterbugz + was updated to properly handle missing version and operating system values on + imported [% terms.bugs %]. + ([% terms.Bug %] 1429243)
    • + +
+

5.0.4

This release fixes one security issue. See the diff --git a/template/en/default/reports/chart.html.tmpl b/template/en/default/reports/chart.html.tmpl index dfab725e6..7004086de 100644 --- a/template/en/default/reports/chart.html.tmpl +++ b/template/en/default/reports/chart.html.tmpl @@ -20,6 +20,13 @@ header_addl_info = time %] +[% IF debug %] +

Bugzilla::Chart object:

+ 
+  [% debug_dump FILTER html %]
+
+[% END %] +
[% imageurl = BLOCK %]chart.cgi? diff --git a/template/en/default/reports/create-chart.html.tmpl b/template/en/default/reports/create-chart.html.tmpl index 6b5fa5fe3..9ae25c608 100644 --- a/template/en/default/reports/create-chart.html.tmpl +++ b/template/en/default/reports/create-chart.html.tmpl @@ -18,6 +18,13 @@ style_urls = ['skins/standard/buglist.css'] %] +[% IF debug %] +

Bugzilla::Chart object:

+ 
+  [% debug_dump FILTER html %]
+
+[% END %] + [% PROCESS "reports/series-common.html.tmpl" donames = 1 %] diff --git a/template/en/default/reports/report.html.tmpl b/template/en/default/reports/report.html.tmpl index a9cd96551..b669070c2 100644 --- a/template/en/default/reports/report.html.tmpl +++ b/template/en/default/reports/report.html.tmpl @@ -61,6 +61,11 @@ %] [% IF debug %] +

Data hash:

+ 
[% debug_hash FILTER html %]
+

Data array:

+ 
[% debug_array FILTER html %]
+

Queries:

[% FOREACH query = queries %]

[% query.sql FILTER html %]

[% END %] diff --git a/template/en/default/setup/strings.txt.pl b/template/en/default/setup/strings.txt.pl index 78c4d861b..202b3c78d 100644 --- a/template/en/default/setup/strings.txt.pl +++ b/template/en/default/setup/strings.txt.pl @@ -23,7 +23,7 @@ happens when you are not running checksetup.pl as ##root##. To see the problem we ran into, run: ##command## END bad_executable => 'not a valid executable: ##bin##', - blacklisted => '(blacklisted)', + blocklisted => '(blocklisted)', bz_schema_exists_before_220 => <<'END', You are upgrading from a version before 2.20, but the bz_schema table already exists. This means that you restored a mysqldump into the Bugzilla