v2.0 Series (“Dazzle”)¶
CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS via the message-id field. A malicious user could send a patch with a message ID that included a script tag. Because of the quirks of the email RFCs, such a message ID can survive being sent through many mail systems, including Gmail, and be parsed and stored by Patchwork. When a user viewed a patch detail page for the patch with this message id, the script would be run. This is fixed by properly escaping the field before it is rendered.
If a patch was processed by Patchwork before series support was added, it will not have a series associated with it. As a result, it is not possible to extract the dependencies for that patch from the series. This was not previously handled correctly. A 404 is now raised if this occurs.
parsemail-batch.shscripts, found in
patchwork/bin, will now default to using
manage.py. This resolves an issue when Patchwork is deployed with a virtualenv.
Resolve some issues caused by parallel parsing of series.
Poorly formatted email headers are now handled correctly.
Patches with CRLF newlines are now parsed correctly and these line endings are stripped when saving patches.
Resolved some issues with pagination.
Emails from git-pull-request v2.14.3+ are now handled correctly.
Token generation from the web UI is now disabled if the REST API is disabled. This was causing an exception.
Non-breaking spaces in tags are now handled correctly.
Patches with no space before the series marker, such as
PATCH1/8, are now parsed correctly.
Handle requests for pages out of range.
Fix SQL permissions scripts for tables and columns added in 2.0.
Fix filtering of projects by name
Fix “add to bundle” dropdown
Performance improvements for the XML-RPC API
The v2.0.0 release includes many new features and bug fixes. For full information on the options avaiable, you should look at the full release notes in detail. However, there are two key features that make v2.0.0 a worthwhile upgrade:
A REST API is now provided, which will eventually replace the legacy XML-RPC API
Patch series and series cover letters are now supported
For further information on these features and the other changes in this release, review the full release notes.
Previous versions of Patchwork provided an XML-RPC API. This was functional but there were a couple of issues around usability and general design. This API also provided basic versioning information but the existing clients, mostly pwclient variants, did not validate this version. Together, this left us with an API that needed work but no way to fix it without breaking every client out there.
Rather than breaking all those users, make a clean break and provide another API method. REST APIs are the API method de jour providing a number of advantages over XML-RPC APIs, thus, a REST API is chosen. The following resources are exposed over this new API:
For information on the usage of the API, refer to the documentation.
Cover letters are now supported.
Cover letters are often sent in addition to a series of patches. They do not contain a diff and can generally be identified as number 0 of a series. For example:
[PATCH 0/3] A cover letter
Cover letters contain useful information that should not be discarded. Both cover letters and replies to these mails are now stored for use with series.
Series are now supported.
Series are groups of patches sent as one bundle. For example:
[PATCH 0/3] A cover letter [PATCH 1/3] The first patch [PATCH 2/3] The second patch [PATCH 3/3] The third patch
While Patchwork already supports bundles, these must be created manually, defeating the purpose of using series in the first place. Series make use of the information provided in the emails themselves, avoiding this manual step. The series support implemented is basic and does not support versioning. This will be added in a future release.
All comments now have a permalink which can be used to reference individual replies to patches and cover letters.
Django Debug Toolbar is now enabled by defaut when using development settings.
Python 3.5 is now supported.
Series markers are now parsed from patches generated by the Mercurial Patchbomb extension.
The REST API is enabled by default.
The REST API is enabled by default. It is possible to disable this API, though this functionality may be removed in a future release. Should you wish to disable this feature, configure the
parsearchive.pyscripts have been replaced by the
parsearchivemanagement commands. These can be called like any other management commands. For example:
$ ./manage.py parsemail [args...]
DEFAULT_PATCHES_PER_PAGEhas been renamed as
DEFAULT_ITEMS_PER_PAGEas it is now possible to list cover letters in addition to patches.
contextfield for patch checks must now be slug, or a string consisting of only ASCII letters, numbers, underscores or hyphens. While older, non-slugified strings won’t cause issues, any scripts creating contexts must be updated where necessary.
When downloading an mbox, a user’s name will now be set to the name used in the last email recieved from them. Previously, the name used in the first email received from a user was used.
user at domain-style email addresses, commonly found in Mailman archives, are now handled correctly.
Unicode characters transmitted over the XML-RPC API are now handled correctly under Python 3
The pwclient tool will no longer attempt to re-encode unicode to ascii bytes, which was a frequent cause of
UnicodeEncodeErrorexceptions. Instead, a warning is produced if your environement is not configured for unicode.