##// END OF EJS Templates
security: limit the maximum password lenght to 72 characters to prevent possible...
security: limit the maximum password lenght to 72 characters to prevent possible server side resource consumption attack. - bcrypt heavy computation can lead to DOS using a very long password .eg 10**8 lenght. - we allowed this on registration or on password update

File last commit:

r1848:6a5f62ae default
r2192:a51e727d stable
Show More
release-notes-4.8.0.rst
102 lines | 4.3 KiB | text/x-rst | RstLexer
/ docs / release-notes / release-notes-4.8.0.rst
docs: added changelog for 4.8.0 release.
r1848 |RCE| 4.8.0 |RNS|
-----------------
Release Date
^^^^^^^^^^^^
- 2017-06-30
New Features
^^^^^^^^^^^^
- Code Review: added new reviewers logic. This features now is Common Criteria
compatible and allows to define Mandatory (non-removable) reviewers.
In addition new options were added to forbid adding new reviewers or forbid
author of commits or the pull request itself to be a reviewer of the code.
- Audit logs: introducing new audit logs tracking most important actions in
the system. Admins can track important events such as deletion of resources,
permissions changes, user groups changes. Each event tracks users with his
IP and user agent.
- Mercurial: enabled evolve extensions. Each repository can be now configured
to support evolve, commit phases, and evolve state are also shown in
commit and changelog views.
- VCS: expose newly pushed bookmarks or branches as quick links to open a
pull request on client output. Allows easier pull request creation via CLI.
General
^^^^^^^
- Core: ported many views into pure pyramid code with python3.6 compatibility.
Now almost 80% of the code is ported, and future ready. It's our ongoing
effort to allow support for modern python version.
- Comments: show author tag in pull request comments to easily
discover the author of changes in discussions.
- Files: allow specifying custom filename for uploaded files via web interface.
- Pull requests: changed who is allowed to close a pull request. Now it's only
super-admin, owner or person who can merge.
Before it was every reviewer can close. Which really doesn't make sense.
- Users: show that user is disabled when editing his properties.
- Integrations: expose user_id, and username in Webhook integration
templates arguments.
- Integrations: exposed extra repo variables in template arguments of
Webhook integration.
- Login: add link when using external auth to make it easier to login
using oauth providers, such as Google or Github.
- Maintenance: added svn verify command to tasks to be able to verify the
filesystem and repo formats from web interface. Allows much easier tracking
of incompatible filesystem storage of subversion repositories.
- Events: expose permalink urls for pull requests, and repositories.
Permalink url should provide a non-changeable url that can be used in
external system.
- Svn: increase possibility to specify compatibility to pre 1.9 version.
Security
^^^^^^^^
- security(high): fixed possibility to delete other users inline comments
for users who were repository admins.
- security(med): fixed XSS inside the tooltip for author string.
- security(med): fixed stored XSS in notifications inbox.
- security(med): use custom writer for RST rendering to prevent injection of javascript: tags.
- security(med): escape flash messaged VCS errors to prevent reflected XSS attacks.
- security(low): use 404 instead of 403 code on permission decorator to
prevent brute force resource discovery attacks.
- security(low): fixed self XSS inside autocomplete files view.
- security(low): fixed self Xss inside repo strip view.
- security(low): fixed self Xss inside the email add functionality.
- security(none): use new safe escaped user attributes across the application.
Will prevent all possible XSS attack vectors from user stored attributes.
This specially can come from external authentication systems which doesn't
validate the data.
Performance
^^^^^^^^^^^
Fixes
^^^^^
- Pull requests: make sure we process comments in the order of IDS when
linking them. In some edge cases it could lead to comments not displaying
correctly.
- Emails: fixed newlines in email templates that can break email sending code.
- Markdown: fixed hr and strong tags styling.
- Notifications: fixed problem with 500 errors on non-numeric entries in url.
- API: use simple schema validator to be consistent how we validate between
API and web views for create user and create user_group calls.
- Users: fixed problem with personal repo group wasn't shown for disabled users.
- Oauth: improve Google extraction of first/last name from returned data.
Upgrade notes
^^^^^^^^^^^^^
- API: the `update_pull_request` method will no longer support a close action.
Users should use the existing `close_pull_request` method which allows
specifying a message and status while closing a pull request.