patchwork:stable/2.0

Last commit made on 2019-07-05
Get this branch:
git clone -b stable/2.0 https://git.launchpad.net/patchwork

Branch merges

Branch information

Name:
stable/2.0
Repository:
lp:patchwork

Recent commits

3349500... by Daniel Axtens on 2019-07-05

Post-release version bump

Signed-off-by: Daniel Axtens <email address hidden>

6ead721... by Daniel Axtens on 2019-07-05

Release 2.0.4

Signed-off-by: Daniel Axtens <email address hidden>

0d91b9f... by Daniel Axtens on 2019-07-05

docs: Add a release note for CVE-2019-13122

Signed-off-by: Daniel Axtens <email address hidden>
(cherry picked from commit f48179f6368982fdeb7f2dfb515f1972d86b0991)
Signed-off-by: Daniel Axtens <email address hidden>

5c735f4... by Andrew Donnellan <email address hidden> on 2019-07-05

filters: Escape State names when generating selector HTML

States with names containing special characters are not correctly escaped
when generating the select list. Use escape() to fix this.

Signed-off-by: Andrew Donnellan <email address hidden>
(cherry picked from commit b3fa0c402e060622a5ed539a465d2fa98b1d2e13)
Signed-off-by: Daniel Axtens <email address hidden>

1a5aad5... by Daniel Axtens on 2019-07-05

tests: Add test for unescaped values in patch detail page

Add a test to check whether we are escaping values from the Patch model on
the patch detail page.

This test shouldn't be relied upon as proof that we've escaped everything
correctly, but may help catch regressions.

Signed-off-by: Andrew Donnellan <email address hidden>
(backported from df80e690bcc32d483875dcb36b488764c89ec9b6)
Signed-off-by: Daniel Axtens <email address hidden>

5cda060... by Daniel Axtens on 2019-07-05

templatetags: Do not mark output of msgid tag as safe

The msgid template tag exists to remove angle brackets from either side of
the Message-ID header.

It also marks its output as safe, meaning it does not get autoescaped by
Django templating.

Its output is not safe. A maliciously crafted email can include HTML tags
inside the Message-ID header, and as long as the angle brackets are not at
the start and end of the header, we will quite happily render them.

Rather than using mark_safe(), use escape() to explicitly escape the
Message-ID.

Signed-off-by: Andrew Donnellan <email address hidden>
(backported from 133a6c90e9826376be0f12f2ae6c2d7b076bdba0)
Signed-off-by: Daniel Axtens <email address hidden>

a2a51cb... by Stephen Finucane <email address hidden> on 2018-10-06

Revert "models: Use 'base_manager_name'"

This reverts commit 8585ea5afec383c9c5622843bcff0e6c448614c7.

This change required a migration which was not included in 2.0.0. It's
not possible to backport the migration but since this change only hides
a warning in the versions of Django supported here, it's easy to just
revert this.

Signed-off-by: Stephen Finucane <email address hidden>
Closes: #192
Stable-Only

75564e9... by Stephen Finucane <email address hidden> on 2018-10-06

Revert "models: Only set 'base_manager_name' for Django >= 1.10"

This reverts commit 5708fb48adecfd9929366b114bdb6d4cd09df74e.

This change required a migration which was not included in 2.0.0. It's
not possible to backport the migration but since this change only hides
a warning in the versions of Django supported here, it's easy to just
revert this.

Signed-off-by: Stephen Finucane <email address hidden>
Stable-Only

1cb6375... by Stephen Finucane <email address hidden> on 2018-10-06

Revert "models: Series plural name is Series"

This reverts commit ed7328fdb13d0f286eb873d58e4fec606d20cdee.

This change required a migration which was not included in 2.0.0. It's
not possible to backport the migration but since this change wasn't
absolutely necessary, it's easy to just revert this.

Signed-off-by: Stephen Finucane <email address hidden>
Stable-Only

16c2052... by Stephen Finucane <email address hidden> on 2018-06-14

Post-release version bump

Signed-off-by: Stephen Finucane <email address hidden>