v2.1 Series (“Eolienne”)


Bug Fixes

  • Queries to the REST API with filters are now significantly faster: slow database queries were reworked.

  • An sql error was fixed in lib/sql/grant-all.postgres.sql.


Bug Fixes

  • CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS via the message-id field. A malicious user could send a patch with a message ID that included a script tag. Because of the quirks of the email RFCs, such a message ID can survive being sent through many mail systems, including Gmail, and be parsed and stored by Patchwork. When a user viewed a patch detail page for the patch with this message id, the script would be run. This is fixed by properly escaping the field before it is rendered.

  • The pwclientrc samples generated by Patchwork were previously not valid INI files. This issue is resolved. (#277)


Bug Fixes

  • #197 was the result of a issue with OzLabs instance and not Patchwork itself, and the fix included actually ended up corrupting subjects for everyone. It has now been reverted.

  • In the past, Patchwork used to support filtering patches that weren’t delegated to anyone. This feature was removed in v1.1.0, as part of a patch designed to support delegation to anyone. However, that feature didn’t scale and was later removed. The ability to delegate to anyone is now itself re-introduced.


Upgrade Notes

Bug Fixes

  • Assigning maintained projects when creating a new user in the admin page was causing an error. This is now resolved.

  • Long headers can be wrapped using CRLF followed by WSP (whitespace). This whitespace was not being stripped, resulting in errant whitespace being saved for the patch subject. This is resolved though existing patches and cover letters will need to be updated manually.

  • API resources with embedded series were not showing the web_url value for these series. This is now shown.

  • Showing comments for a non-existant patch or cover letter was returning an empty response instead of a HTTP 404. This issue is resolved for both resources.

  • Showing checks for a non-existant patch was returning an empty response instead of a HTTP 404. Similarly, attempting to create a new check against this patch would result in a HTTP 5xx error instead of a HTTP 404. Both issues are now resolved.

  • Fields added in API v1.1 are now consistently excluded when requesting API v1.0, as was intended.


Bug Fixes

  • An issue that resulted in checks for all patches being listed for each patch is resolved. (#203)

  • An issue that prevented updating of delegates using the REST API is resolved. (#216)

  • A project’s list_email, list_id and link_name fields can no longer be updated via the REST API. This is a superuser-only operation that, for now, should only be done via the admin interface. (#217)

  • It’s now possible to assign patches to existing bundles from a user’s TODO page. (#213)

  • The delegate and submitter fields will remain populated when moving between different pages or changing filters. (#78)



The key part of this release is a major performance fix - denormalising the project field into patch model so that counting a project’s patches doesn’t require a JOIN. This requires a migration and so isn’t suitable for a stable backport. Event listing in the API has also been sped up by refactoring the queries.

This release also includes the feature development that had accrued in the mean time and numerous bug fixes.

The REST API version has been bumped to 1.1.

New Features

  • Allow list filtering into multiple projects (and email dropping) based on subject prefixes. Enable by specifying a regular expression which needs to be matched in the subject on a per-project basis (field subject_match). Project with empty subject_match field (and matching list_id) serves as a default in case of no match.

  • The pwclient get command will now download patches with a .patch extension.

Known Issues

  • Series parsing in the presence of parallel mail processing is still unreliable.

Upgrade Notes

  • Django 1.6 and 1.7 are no longer supported. These are no longer supported upstream and most distributions provide a newer version.

  • django-filter 0.11 is no longer supported. This was only used with Django 1.6 and 1.7 and is not compatible with any version supported by Patchwork.

Bug Fixes

  • If a patch was processed by Patchwork before series support was added, it will not have a series associated with it. As a result, it is not possible to extract the dependencies for that patch from the series. This was not previously handled correctly. A 404 is now raised if this occurs.

  • A nasty race condition bug that could cause patches in a series to be dropped has been fixed.

  • The parsemail.sh and parsemail-batch.sh scripts, found in patchwork/bin, will now default to using python rather than python2 for calling manage.py. This resolves an issue when Patchwork is deployed with a virtualenv.

API Changes

  • Links to related comments are now exposed when checking patch and cover letter details. The comments themselves are then available via /patches/{patchID}/comments and /covers/{coverID}/comments endpoints. Please note that comments are available only since API version 1.1

  • Cover letters embedded in other responses now provide an mbox link, which can be used to download the cover letter and associated metadata (tags) in mbox format.

  • Series, patches and cover letters can be filtered by submitter using email addresses. For example:

    $ curl /covers/?submitter=stephen@that.guru
  • Bundles can be filtered by owner, patches by delegate and checks by user using username. For example:

    $ curl /bundles/?owner=stephenfin
  • Filters can now be specified multiple times. For example:

    $ curl /patches/?state=under-review&state=rfc

    This operates as a logical OR: it will retrieve patches that are either Under Review or RFC.

  • The /project endpoint now exposes a subject_match attribute.

  • Messages headers that use the same key, such as Received: are now combined into a list. Previously only one of the values would be output. This affects the /covers and /patches endpoints.

Other Notes

  • The patch ID on the patch detail page can now be clicked to copy it. This is similar to what we already do on the patch list page.

  • mbox files now contain all headers from the original email. This also means the Subject: header included will contain the original subject and not the parsed Patchwork’s version.

  • Unify timezones used – use UTC for both email submissions and internal events. Please note that this change doesn’t modify already existing data so in case the instance’s timezone is UTC+XX, events will appear out of order (as if they happened earlier) for XX hours in the events API feed.