Imported Bugzilla 4.2.2.

Bugzilla/Bug.pm

@@ -1953,6 +1953,12 @@ sub _check_field_is_mandatory {
 
     return if !$field->is_visible_on_bug($params || $invocant);
 
+    return if ($field->type == FIELD_TYPE_SINGLE_SELECT
+                 && scalar @{ get_legal_field_values($field->name) } == 1);
+
+    return if ($field->type == FIELD_TYPE_MULTI_SELECT
+                 && !scalar @{ get_legal_field_values($field->name) });
+
     if (ref($value) eq 'ARRAY') {
         $value = join('', @$value);
     }

Bugzilla/Constants.pm

@@ -202,7 +202,7 @@ use Memoize;
 # CONSTANTS
 #
 # Bugzilla version
-use constant BUGZILLA_VERSION => "4.2.1";
+use constant BUGZILLA_VERSION => "4.2.2";
 
 # Location of the remote and local XML files to track new releases.
 use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml';

Bugzilla/FlagType.pm

@@ -681,7 +681,10 @@ sub sqlify_criteria {
     }
     if ($criteria->{product_id}) {
         my $product_id = $criteria->{product_id};
-        
+        detaint_natural($product_id)
+          || ThrowCodeError('bad_arg', { argument => 'product_id',
+                                         function => 'Bugzilla::FlagType::sqlify_criteria' });
+
         # Add inclusions to the query, which simply involves joining the table
         # by flag type ID and target product/component.
         push(@$tables, "INNER JOIN flaginclusions AS i ON flagtypes.id = i.type_id");
@@ -698,6 +701,10 @@ sub sqlify_criteria {
         my $addl_join_clause = "";
         if ($criteria->{component_id}) {
             my $component_id = $criteria->{component_id};
+            detaint_natural($component_id)
+              || ThrowCodeError('bad_arg', { argument => 'component_id',
+                                             function => 'Bugzilla::FlagType::sqlify_criteria' });
+
             push(@criteria, "(i.component_id = $component_id OR i.component_id IS NULL)");
             $join_clause .= "AND (e.component_id = $component_id OR e.component_id IS NULL) ";
         }
@@ -711,7 +718,10 @@ sub sqlify_criteria {
     }
     if ($criteria->{group}) {
         my $gid = $criteria->{group};
-        detaint_natural($gid);
+        detaint_natural($gid)
+          || ThrowCodeError('bad_arg', { argument => 'group',
+                                         function => 'Bugzilla::FlagType::sqlify_criteria' });
+
         push(@criteria, "(flagtypes.grant_group_id = $gid " .
                         " OR flagtypes.request_group_id = $gid)");
     }

Bugzilla/Hook.pm

@@ -426,6 +426,12 @@ Sometimes this is C<undef>, meaning that we are parsing text that is
 not a bug comment (but could still be some other part of a bug, like
 the summary line).
 
+=item C<user>
+
+The L<Bugzilla::User> object representing the user who will see the text.
+This is useful to determine how much confidential information can be displayed
+to the user.
+
 =back
 
 =head2 buglist_columns

Bugzilla/Search.pm

@@ -822,28 +822,38 @@ sub _add_extra_column {
 }
 
 # These are the columns that we're going to be actually SELECTing.
+sub _display_columns {
+    my ($self) = @_;
+    # Do not alter the list specified here at all, even if they are duplicated.
+    # Those are passed by the caller, and the caller expects to get them back
+    # in the exact same order.
+    $self->{display_columns} ||= [$self->_input_columns, $self->_extra_columns];
+    return @{ $self->{display_columns} };
+}
+
+# These are the columns that are involved in the query.
 sub _select_columns {
     my ($self) = @_;
     return @{ $self->{select_columns} } if $self->{select_columns};
 
     my @select_columns;
-    foreach my $column ($self->_input_columns, $self->_extra_columns) {
+    foreach my $column ($self->_display_columns) {
         if (my $add_first = COLUMN_DEPENDS->{$column}) {
             push(@select_columns, @$add_first);
         }
         push(@select_columns, $column);
     }
-    
+    # Remove duplicated columns.
     $self->{select_columns} = [uniq @select_columns];
     return @{ $self->{select_columns} };
 }
 
-# This takes _select_columns and translates it into the actual SQL that
+# This takes _display_columns and translates it into the actual SQL that
 # will go into the SELECT clause.
 sub _sql_select {
     my ($self) = @_;
     my @sql_fields;
-    foreach my $column ($self->_select_columns) {
+    foreach my $column ($self->_display_columns) {
         my $alias = $column;
         # Aliases cannot contain dots in them. We convert them to underscores.
         $alias =~ s/\./_/g;
@@ -1747,7 +1757,9 @@ sub do_search_function {
 sub _do_operator_function {
     my ($self, $func_args) = @_;
     my $operator = $func_args->{operator};
-    my $operator_func = OPERATORS->{$operator};
+    my $operator_func = OPERATORS->{$operator}
+      || ThrowCodeError("search_field_operator_unsupported",
+                        { operator => $operator });
     $self->$operator_func($func_args);
 }
 
@@ -2534,6 +2546,7 @@ sub _multiselect_multiple {
     
     my @terms;
     foreach my $word (@words) {
+        next if $word eq '';
         $args->{value} = $word;
         $args->{quoted} = $dbh->quote($word);
         push(@terms, $self->_multiselect_term($args));
@@ -2701,15 +2714,14 @@ sub _anyexact {
 
 sub _anywordsubstr {
     my ($self, $args) = @_;
-    my ($full_field, $value) = @$args{qw(full_field value)};
-    
+
     my @terms = $self->_substring_terms($args);
     $args->{term} = join("\n\tOR ", @terms);
 }
 
 sub _allwordssubstr {
     my ($self, $args) = @_;
-    
+
     my @terms = $self->_substring_terms($args);
     $args->{term} = join("\n\tAND ", @terms);
 }

Bugzilla/Template.pm

@@ -69,7 +69,7 @@ use constant FORMAT_2_SIZE => [19,55];
 # Pseudo-constant.
 sub SAFE_URL_REGEXP {
     my $safe_protocols = join('|', SAFE_PROTOCOLS);
-    return qr/($safe_protocols):[^\s<>\"]+[\w\/]/i;
+    return qr/($safe_protocols):[^:\s<>\"][^\s<>\"]+[\w\/]/i;
 }
 
 # Convert the constants in the Bugzilla::Constants module into a hash we can
@@ -153,8 +153,9 @@ sub get_format {
 # If you want to modify this routine, read the comments carefully
 
 sub quoteUrls {
-    my ($text, $bug, $comment) = (@_);
+    my ($text, $bug, $comment, $user) = @_;
     return $text unless $text;
+    $user ||= Bugzilla->user;
 
     # We use /g for speed, but uris can have other things inside them
     # (http://foo/bug#3 for example). Filtering that out filters valid
@@ -184,7 +185,7 @@ sub quoteUrls {
     my @hook_regexes;
     Bugzilla::Hook::process('bug_format_comment',
         { text => \$text, bug => $bug, regexes => \@hook_regexes,
-          comment => $comment });
+          comment => $comment, user => $user });
 
     foreach my $re (@hook_regexes) {
         my ($match, $replace) = @$re{qw(match replace)};
@@ -206,7 +207,7 @@ sub quoteUrls {
         map { qr/$_/ } grep($_, Bugzilla->params->{'urlbase'}, 
                             Bugzilla->params->{'sslbase'})) . ')';
     $text =~ s~\b(${urlbase_re}\Qshow_bug.cgi?id=\E([0-9]+)(\#c([0-9]+))?)\b
-              ~($things[$count++] = get_bug_link($3, $1, { comment_num => $5 })) &&
+              ~($things[$count++] = get_bug_link($3, $1, { comment_num => $5, user => $user })) &&
                ("\0\0" . ($count-1) . "\0\0")
               ~egox;
 
@@ -235,7 +236,7 @@ sub quoteUrls {
 
     # attachment links
     $text =~ s~\b(attachment\s*\#?\s*(\d+)(?:\s+\[details\])?)
-              ~($things[$count++] = get_attachment_link($2, $1)) &&
+              ~($things[$count++] = get_attachment_link($2, $1, $user)) &&
                ("\0\0" . ($count-1) . "\0\0")
               ~egmxi;
 
@@ -252,7 +253,7 @@ sub quoteUrls {
     $text =~ s~\b($bug_re(?:\s*,?\s*$comment_re)?|$comment_re)
               ~ # We have several choices. $1 here is the link, and $2-4 are set
                 # depending on which part matched
-               (defined($2) ? get_bug_link($2, $1, { comment_num => $3 }) :
+               (defined($2) ? get_bug_link($2, $1, { comment_num => $3, user => $user }) :
                               "<a href=\"$current_bugurl#c$4\">$1</a>")
               ~egox;
 
@@ -261,7 +262,7 @@ sub quoteUrls {
     $text =~ s~(?<=^\*\*\*\ This\ bug\ has\ been\ marked\ as\ a\ duplicate\ of\ )
                (\d+)
                (?=\ \*\*\*\Z)
-              ~get_bug_link($1, $1)
+              ~get_bug_link($1, $1, { user => $user })
               ~egmx;
 
     # Now remove the encoding hacks in reverse order
@@ -275,15 +276,18 @@ sub quoteUrls {
 
 # Creates a link to an attachment, including its title.
 sub get_attachment_link {
-    my ($attachid, $link_text) = @_;
+    my ($attachid, $link_text, $user) = @_;
     my $dbh = Bugzilla->dbh;
+    $user ||= Bugzilla->user;
 
     my $attachment = new Bugzilla::Attachment($attachid);
 
     if ($attachment) {
         my $title = "";
         my $className = "";
-        if (Bugzilla->user->can_see_bug($attachment->bug_id)) {
+        if ($user->can_see_bug($attachment->bug_id)
+            && (!$attachment->isprivate || $user->is_insider))
+        {
             $title = $attachment->description;
         }
         if ($attachment->isobsolete) {
@@ -323,6 +327,7 @@ sub get_attachment_link {
 sub get_bug_link {
     my ($bug, $link_text, $options) = @_;
     $options ||= {};
+    $options->{user} ||= Bugzilla->user;
     my $dbh = Bugzilla->dbh;
 
     if (defined $bug) {
@@ -699,10 +704,10 @@ sub create {
             clean_text => \&Bugzilla::Util::clean_text ,
 
             quoteUrls => [ sub {
-                               my ($context, $bug, $comment) = @_;
+                               my ($context, $bug, $comment, $user) = @_;
                                return sub {
                                    my $text = shift;
-                                   return quoteUrls($text, $bug, $comment);
+                                   return quoteUrls($text, $bug, $comment, $user);
                                };
                            },
                            1
@@ -718,10 +723,9 @@ sub create {
                           1
                         ],
 
-            bug_list_link => sub
-            {
-                my $buglist = shift;
-                return join(", ", map(get_bug_link($_, $_), split(/ *, */, $buglist)));
+            bug_list_link => sub {
+                my ($buglist, $options) = @_;
+                return join(", ", map(get_bug_link($_, $_, $options), split(/ *, */, $buglist)));
             },
 
             # In CSV, quotes are doubled, and any value containing a quote or a

Bugzilla/User.pm

@@ -1069,7 +1069,7 @@ sub get_accessible_products {
                        @{$self->get_selectable_products},
                        @{$self->get_enterable_products};
     
-    return [ values %products ];
+    return [ sort { $a->name cmp $b->name } values %products ];
 }
 
 sub check_can_admin_product {

Bugzilla/User/Setting.pm

@@ -391,10 +391,10 @@ Description: Determines if a given setting exists in the database.
 Params:      C<$setting_name> - string - the setting name
 Returns:     boolean - true if the setting already exists in the DB.
 
-=back
-
 =end private
 
+=back
+
 =head1 METHODS
 
 =over 4

Bugzilla/WebService/Server.pm

@@ -25,6 +25,7 @@ use Scalar::Util qw(blessed);
 
 sub handle_login {
     my ($self, $class, $method, $full_method) = @_;
+    ThrowCodeError('unknown_method', {method => $full_method}) if !$class;
     eval "require $class";
     ThrowCodeError('unknown_method', {method => $full_method}) if $@;
     return if ($class->login_exempt($method) 

buglist.cgi

@@ -452,7 +452,9 @@ if ($cmdtype eq "dorem") {
         # Generate and return the UI (HTML page) from the appropriate template.
         $vars->{'message'} = "buglist_query_gone";
         $vars->{'namedcmd'} = $qname;
-        $vars->{'url'} = "buglist.cgi?newquery=" . url_quote($buffer) . "&cmdtype=doit&remtype=asnamed&newqueryname=" . url_quote($qname);
+        $vars->{'url'} = "buglist.cgi?newquery=" . url_quote($buffer)
+                         . "&cmdtype=doit&remtype=asnamed&newqueryname=" . url_quote($qname)
+                         . "&token=" . url_quote(issue_hash_token(['savedsearch']));
         $template->process("global/message.html.tmpl", $vars)
           || ThrowTemplateError($template->error());
         exit;
@@ -461,6 +463,8 @@ if ($cmdtype eq "dorem") {
 elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) {
     if ($cgi->param('remtype') eq "asdefault") {
         $user = Bugzilla->login(LOGIN_REQUIRED);
+        my $token = $cgi->param('token');
+        check_hash_token($token, ['searchknob']);
         InsertNamedQuery(DEFAULT_QUERY_NAME, $buffer);
         $vars->{'message'} = "buglist_new_default_query";
     }

docs/en/html/Bugzilla-Guide.html

@@ -2,7 +2,7 @@
 <HTML
 ><HEAD
 ><TITLE
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TITLE
 ><META
 NAME="GENERATOR"
@@ -43,7 +43,7 @@ CLASS="TITLEPAGE"
 CLASS="title"
 ><A
 NAME="AEN2"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</A
 ></H1
 ><H3
@@ -51,7 +51,7 @@ CLASS="corpauthor"
 >The Bugzilla Team</H3
 ><P
 CLASS="pubdate"
->2012-04-18<BR></P
+>2012-07-26<BR></P
 ><DIV
 ><DIV
 CLASS="abstract"
@@ -683,7 +683,7 @@ NAME="newversions"
 >1.3. New Versions</A
 ></H2
 ><P
->&#13;      This is the 4.2.1 version of The Bugzilla Guide. It is so named 
+>&#13;      This is the 4.2.2 version of The Bugzilla Guide. It is so named 
       to match the current version of Bugzilla. 
        This version of the guide, like its associated Bugzilla version, is a
       development version. 

docs/en/html/about.html

@@ -7,11 +7,11 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="PREVIOUS"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="NEXT"
@@ -36,7 +36,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR
@@ -154,7 +154,7 @@ ACCESSKEY="N"
 WIDTH="33%"
 ALIGN="left"
 VALIGN="top"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TD
 ><TD
 WIDTH="34%"

docs/en/html/administration.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="PREVIOUS"
@@ -35,7 +35,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR

docs/en/html/api/Bugzilla/Hook.html

@@ -474,6 +474,13 @@ name="bug_format_comment"
 >Bugzilla::Comment</a> object representing the comment you are about to parse.</p>
 
 <p>Sometimes this is <code  class="code">undef</code>, meaning that we are parsing text that is not a bug comment (but could still be some other part of a bug, like the summary line).</p>
+
+<dt><a name="user"
+><code  class="code">user</code></a></dt>
+
+<dd>
+<p>The <a href="../Bugzilla/User.html" class="podlinkpod"
+>Bugzilla::User</a> object representing the user who will see the text. This is useful to determine how much confidential information can be displayed to the user.</p>
 </dd>
 </dl>
 

docs/en/html/api/Bugzilla/User/Setting.html

@@ -17,7 +17,6 @@ Bugzilla::User::Setting</title>
   <li class='indexItem indexItem1'><a href='#DESCRIPTION'>DESCRIPTION</a>
   <li class='indexItem indexItem1'><a href='#CLASS_FUNCTIONS'>CLASS FUNCTIONS</a>
   <li class='indexItem indexItem1'><a href='#METHODS'>METHODS</a>
-  <li class='indexItem indexItem1'><a href='#POD_ERRORS'>POD ERRORS</a>
 </ul>
 </div>
 
@@ -152,23 +151,6 @@ Params: <code  class="code">$value</code> - string - the new value for this sett
 Returns: nothing</p>
 </dd>
 </dl>
-
-<h1><a class='u' href='#___top' title='click to go to top of document'
-name="POD_ERRORS"
->POD ERRORS</a></h1>
-
-<p>Hey!
-<b>The above document had some coding errors,
-which are explained below:</b></p>
-
-<dl>
-<dt><a name="Around_line_398:"
->Around line 398:</a></dt>
-
-<dd>
-<p>You forgot a &#39;=back&#39; before &#39;=head1&#39;</p>
-</dd>
-</dl>
 <p class="backlinkbottom"><b><a name="___bottom" href="../../index.html" title="All Documents">&lt;&lt;</a></b></p>
 
 <!-- end doc -->

docs/en/html/api/index.html

@@ -2,13 +2,13 @@
 <html>
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-    <title>Bugzilla 4.2.1 API Documentation</title>
+    <title>Bugzilla 4.2.2 API Documentation</title>
   
 <link rel="stylesheet" title="style" type="text/css" href="./../../../style.css" media="all" >
 
 </head>
   <body class="contentspage">
-    <h1>Bugzilla 4.2.1 API Documentation</h1>
+    <h1>Bugzilla 4.2.2 API Documentation</h1>
 <dl class='superindex'>
 <dt><a name="Extensions">Extensions</a></dt>
 <dd>

docs/en/html/attachments.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="UP"
@@ -38,7 +38,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR

docs/en/html/bug_page.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="UP"
@@ -38,7 +38,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR

docs/en/html/bug_status_workflow.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="UP"
@@ -38,7 +38,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR

docs/en/html/bugreports.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="UP"
@@ -38,7 +38,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR

docs/en/html/classifications.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="UP"
@@ -38,7 +38,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR

docs/en/html/cmdline-bugmail.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="UP"
@@ -38,7 +38,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR

docs/en/html/cmdline.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="UP"
@@ -38,7 +38,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"
 ALIGN="center"
->The Bugzilla Guide - 4.2.1 
+>The Bugzilla Guide - 4.2.2 
     Release</TH
 ></TR
 ><TR

docs/en/html/components.html

@@ -7,7 +7,7 @@
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
 REL="HOME"
-TITLE="The Bugzilla Guide - 4.2.1 
+TITLE="The Bugzilla Guide - 4.2.2 
     Release"
 HREF="index.html"><LINK
 REL="UP"
@@ -38,7 +38,7 @@ CELLSPACING="0"
 ><TH
 COLSPAN="3"