Bug 191971 - The guide incorrectly stated that bugs could be closed via email using the scripts in contrib/
NOTE: This old version of the guide doesn't compile using the scripts I currently have in place so both the sgml and html were manually changed.
Fix for bug 154008: some basic (but incomplete) maintenance on bug_email.pl, also fixes a possible security hole with a misuse
of a system() call.
Patches by Erik Anderson <erikba@teamworkgroup.com> and Brad Baetz <bbaetz@student.usyd.edu.au>
r= myk, justdave
Bug 148674 Boolean Charts don't work in Netpositive because '-' is sent as '%2D
This makes CGI.pl closer to CGI.pm by having it unescape the name field in addition to the value field.
r=preed,justdave
Bug 147486 - First (of many?) fixes of cross site scripting issues; checked in on the 2.14.1 branch; this patch is slightly different (semantically) from the one in 147486; it moves the ) placement, per myk's suggestion in the bug. patch=preed, r=bbaetz,myk
dkl%redhat.com [Thu, 3 Jan 2002 14:15:55 +0000 (14:15 +0000)]
SECURITY FIX for bug 117614; Undefined subroutine &main::detaint_natural called at editusers.cgi line 739. Patch bug David D. Kilzer <ddkilzer@theracingworld.com> r=justdave,dkl
SECURITY FIX for bug 109679: It was possible to send arbitrary SQL to buglist.cgi by altering the HTML form before submitting.
Patch by Dave Miller <justdave@syndicomm.com>
r= dkl, gerv
Re-fix for bug 102141: The prior checkin on this bug caused an error if you could only see one product and you tried to
change a bug.
Fix by David Kilzer <ddk@theracingworld.com>
r= justdave, bbaetz
SECURITY FIX bug 54901: If you were using LDAP authentication it would let you log in as anyone if you left the password
blank.
Patch by David Crowe <crow@waveset.com>
r= jmrobins, justdave
Fix for bug 98146: Untrusted variable in echoed back to user in HTML error if there was a login error while editing votes
Patch by Gerv and Jake, r= Myk
Fix for bug 102141: SECURITY FIX - the Product popup menu on the show_bug form listed all products, even if the user didn't
have access to all of them. It now only shows products the user has access to (and the product the bug is in, if the user is
viewing it because of some other override)
Patch by George Hotelling <george.hotelling@iconideas.com> and Dave Miller <justdave@syndicomm.com>
r= bbaetz, caillon
Fix for bug 108822: It was possible for a user to send arbitrary SQL by inserting quotes in the "mybugslink" field in the user
preferences.
Patch by Jake Steenhagen
r= myk, bbaetz
Fix for bug 108821: It was possible to change your own groupset by altering the page HTML before submitting on editusers.cgi
if you had any blessgroupset privs.
Patch by Myk Melez and Brad Baetz
r= myk, bbaetz, jake
Fix for bug 108812: buglist.cgi allowed you to pass arbitrary SQL for the "WHERE" part of a query. This is no longer allowed.
Patch by Jake Steenhagen <jake@acutex.net>
r= bbaetz, myk
Fix for bug 108516: It was possible to file a bug as someone you're not. User identity is now checked and the form values
giving user ID are now ignored.
r= jake, bbaetz
Fix for bug 108385: it was possible to add comments as someone else. User identity is checked now, and the form values
suggesting the username are now ignored.
r=jake
jake%acutex.net [Wed, 14 Nov 2001 11:44:07 +0000 (11:44 +0000)]
We don't really need to look for fragments that are pulled in by [% INCLUDE %] or [% PROCESS %]. While removing this code bit doesn't allow us to seperatly check that those fragments exist and compile, they'll be checked atomatically when the the template that wants them is run through the process() routine by the 004template.t test. This issue was raised because bug 98707 introduced a [% BLOCK %] element and the syntax for using that is the same as for including a template fragment.
jake%acutex.net [Mon, 12 Nov 2001 21:43:59 +0000 (21:43 +0000)]
Fix for bug 86300 - If a bug didn't exist and GetBugLink() tried to create a tooltip for it, you'd get uninitialized variables warnings in your error log. This path also introduces a cache so if the same bug # is mentioned more than once during the same running of the script, it only has to query the database once.
r= mattyt, gerv
Fix for bug 99519: timestamps were not being set correctly in the activity table in some situations, and the delta_ts on the
bug itself was not always being updated if dependencies or CCs changed.
Patch by Dave Miller <justdave@syndicomm.com>
r= bbaetz, jake
myk%mozilla.org [Thu, 8 Nov 2001 10:43:55 +0000 (10:43 +0000)]
Fix for bug 104652: Duplicate bugs in the dependency tree now get marked with the message "This bug appears elsewhere in this tree." so users know why the bug does not appear to have dependencies.
Patch by Gerv <gerv@mozilla.org>.
r=jake@acutex.net,myk@mozilla.org
myk%mozilla.org [Thu, 8 Nov 2001 08:52:13 +0000 (08:52 +0000)]
Fix for bug 108821: Prevent users with any blessgroupset privileges from blessing any group set.
Patch by Jake <jake@acutex.net> and Bradley <bbaetz@cs.mcgill.ca>.
r=jake,myk for Bradley's portion, r=bbaetz,myk for Jake's portion.
Require (temporarily) mysql >= 3.23.5 for the ~ operator, needed for the
fix to bug 107718. This should be removed when the group stuff lands (bug
60822).
SECURITY FIX see bug 108385: Due to trusting of passed form fields that shouldn't have been trusted, it was possible to add a comment to a bug pretending to be someone else if you edited the HTML by hand before submitting. The bug form did not include the field in question, but due to legacy processing code, the field was still trusted if it was present.
Patch by Dave Miller <justdave@syndicomm.com>
r= jake x2
SECURITY FIX see bug 108516: Due to trusting of passed form fields that shouldn't have been trusted, it was possible to file a
bug pretending to be someone else if you edited the HTML by hand before submitting.
Patch by Dave Miller <justdave@syndicomm.com>
r= bbaetz, jake
Fix for bug 96675: checksetup should require admin e-mail address satisfy emailregexp. This fix has
checksetup.pl use the emailregexp set in params if the params file exists, or ensures that it matches the
default emailregexp from defparams.pl.
jake%acutex.net [Sat, 27 Oct 2001 22:27:31 +0000 (22:27 +0000)]
A few enhancements to the template test:
* If there's a compilation error, report what it is
* Don't try to compile a template if it doesn't exist
- We already tested for that and issued an ERROR
* Define the 'url' FILTER
jake%acutex.net [Sat, 27 Oct 2001 01:35:04 +0000 (01:35 +0000)]
Bug 81594 - SQL error after editing user entry when changing numerous things at once (including the login name).
Patch by Matthew Tuck <matty@chariot.net.au>
r= dkl@redhat.com, jake@acutex.net
jake%acutex.net [Thu, 25 Oct 2001 21:46:58 +0000 (21:46 +0000)]
Bug 104065 - Stop uninitilized string warnings from getting into the error log when the login cookie doesn't exist.
Patch by Dave Miller <justdave@syndicomm.com>
r= gerv@mozilla.org, jake@acutex.net
jake%acutex.net [Thu, 25 Oct 2001 01:41:49 +0000 (01:41 +0000)]
Don't rely on the TEST_VERBOSE environment variable (no longer exported from runtests.sh) and instead print to the TESTOUT file handle pulled in from Test::More. This will allow the testing backend to check for verbosity rather than having to handle it in the .t files.
jake%acutex.net [Wed, 24 Oct 2001 20:29:49 +0000 (20:29 +0000)]
Bug 106424 - We weren't going orange on warnings such as "used only once". This script now properly outputs the --WARNING and fails on such a condition.
myk%mozilla.org [Wed, 24 Oct 2001 08:31:09 +0000 (08:31 +0000)]
Fix for bug 106315: Link on bug list for emailing QA contacts.
Patch by Dave Miller <justdave@syndicomm.com>.
r=myk@mozilla.org, no second review needed.
Bug 97469 - Assignee/QA/Reporter/CC don't get email on restricted bugs.
Also fixes seeing bugs in the buglist (bug 95024), dependancy lists,
tooltips, duplicates, and everywhere else I could see which checked group
bugs.groupset == 0.
jake%acutex.net [Tue, 23 Oct 2001 21:45:45 +0000 (21:45 +0000)]
Bug 63249 - The Bug Counts report was running very slowly due to unneeded fields/joins in the SQL query.
Patch by Matthew Tuck <matty@chariot.net.au>
r= gerv@mozilla.org, jake@acutex.net
jake%acutex.net [Sat, 20 Oct 2001 20:03:14 +0000 (20:03 +0000)]
Bug 71840 - Make comments referenceable using a #c4 to get the fourth comment.
Patch by Gerv <gerv@mozilla.org> and Myself.
r= jake@acutex.net, gerv@mozilla.org, justdave@syndicomm.com
jake%acutex.net [Sat, 20 Oct 2001 07:50:27 +0000 (07:50 +0000)]
Bug 105480 - Use the friendly name from the fielddefs table when reporting strictvalue errors if it's available.
Patch by James A. Laska <jlaska@us.ibm.com>
r= justdave@syndicomm.com, jake@acutex.net
jake%acutex.net [Sat, 20 Oct 2001 07:22:52 +0000 (07:22 +0000)]
Bug 104340 - Changing the UI of the toolbar for hiding bugs in the dependency tree.
Patch by Christian Reis <kiko@async.com.br>
r= justdave@syndicomm.com, gerv@mozilla.org
jake%acutex.net [Sat, 20 Oct 2001 06:49:37 +0000 (06:49 +0000)]
Bug 73180 - We now put a notice at the top of the versioncache file saying that it should not be edited.
Patch by Matthew Tuck <matty@chariot.net.au>
r= gerv@mozilla.org, jake@acutex.net
jake%acutex.net [Sat, 20 Oct 2001 05:39:46 +0000 (05:39 +0000)]
Bug 103664 - Tests should "use strict;" and not contain any tabs. We should also use the TEST_VERBOSE environment variable instead of VERBOSE.
Patch by David D. Kilzer <ddkilzer@theracingworld.com>
Additional edits by myself to add the emacs mode line. Also, the change to runtests.sh was done by me.
projects / thirdparty / bugzilla.git / log
