From cd5125ff273024d5c371468b1e98a3cbf7c14b9a Mon Sep 17 00:00:00 2001 From: Jeremy Katz Date: Mon, 23 Oct 2006 14:48:43 +0000 Subject: [PATCH 001/153] Initialize branch FC-6 for bugzilla --- branch | 1 + 1 file changed, 1 insertion(+) create mode 100644 branch diff --git a/branch b/branch new file mode 100644 index 0000000..d5b6362 --- /dev/null +++ b/branch @@ -0,0 +1 @@ +FC-6 From 0b660182db05fd19f4ba252f4b3a554eb83bd2ff Mon Sep 17 00:00:00 2001 From: John Berninger Date: Thu, 9 Nov 2006 00:25:54 +0000 Subject: [PATCH 002/153] Fix for bz 212355 - multiple vulns --- bugzilla-bz212355-fixvuln.patch | 12626 ++++++++++++++++++++++++++++++ bugzilla.spec | 7 +- 2 files changed, 12632 insertions(+), 1 deletion(-) create mode 100644 bugzilla-bz212355-fixvuln.patch diff --git a/bugzilla-bz212355-fixvuln.patch b/bugzilla-bz212355-fixvuln.patch new file mode 100644 index 0000000..0ce59fe --- /dev/null +++ b/bugzilla-bz212355-fixvuln.patch @@ -0,0 +1,12626 @@ +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/attachment.cgi bugzilla-2.22.1/attachment.cgi +--- bugzilla-2.22/attachment.cgi 2006-04-09 11:28:49.000000000 -0700 ++++ bugzilla-2.22.1/attachment.cgi 2006-10-14 14:07:19.000000000 -0700 +@@ -130,6 +130,7 @@ + sub validateID + { + my $param = @_ ? $_[0] : 'id'; ++ my $user = Bugzilla->user; + + # If we're not doing interdiffs, check if id wasn't specified and + # prompt them with a page that allows them to choose an attachment. +@@ -151,18 +152,18 @@ + || ThrowUserError("invalid_attach_id", { attach_id => $cgi->param($param) }); + + # Make sure the attachment exists in the database. +- SendSQL("SELECT bug_id, isprivate FROM attachments WHERE attach_id = $attach_id"); ++ SendSQL("SELECT bug_id, isprivate, submitter_id ++ FROM attachments WHERE attach_id = $attach_id"); + MoreSQLData() + || ThrowUserError("invalid_attach_id", { attach_id => $attach_id }); + + # Make sure the user is authorized to access this attachment's bug. +- (my $bugid, my $isprivate) = FetchSQLData(); ++ my ($bugid, $isprivate, $submitter_id) = FetchSQLData(); + + ValidateBugID($bugid); +- if ($isprivate && Param("insidergroup")) { +- UserInGroup(Param("insidergroup")) +- || ThrowUserError("auth_failure", {action => "access", +- object => "attachment"}); ++ if ($isprivate && $user->id != $submitter_id && !$user->is_insider) { ++ ThrowUserError("auth_failure", {action => "access", ++ object => "attachment"}); + } + + return ($attach_id,$bugid); +@@ -199,17 +200,23 @@ + sub validateCanEdit + { + my ($attach_id) = (@_); ++ my $user = Bugzilla->user; + +- # People in editbugs can edit all attachments +- return if UserInGroup("editbugs"); ++ my $attachment = Bugzilla::Attachment->get($attach_id); + + # Bug 97729 - the submitter can edit their attachments +- SendSQL("SELECT attach_id FROM attachments WHERE " . +- "attach_id = $attach_id AND submitter_id = " . Bugzilla->user->id); ++ return if ($attachment->attacher->id == $user->id); + +- FetchSQLData() +- || ThrowUserError("illegal_attachment_edit", +- { attach_id => $attach_id }); ++ # Only people in the insider group can view private attachments. ++ if ($attachment->isprivate && !$user->is_insider) { ++ ThrowUserError('illegal_attachment_edit', {attach_id => $attachment->id}); ++ } ++ ++ # People in editbugs can edit all attachments ++ return if UserInGroup("editbugs"); ++ ++ # If we come here, then this attachment cannot be seen by the user. ++ ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id }); + } + + sub validateCanChangeAttachment +@@ -393,7 +400,8 @@ + my @obsolete_ids = (); + + # Make sure the attachment id is valid and the user has permissions to view +- # the bug to which it is attached. ++ # the bug to which it is attached. Make sure also that the user can view ++ # the attachment itself. + foreach my $attachid ($cgi->param('obsolete')) { + my $vars = {}; + $vars->{'attach_id'} = $attachid; +@@ -410,6 +418,9 @@ + + my ($bugid, $isobsolete, $description) = FetchSQLData(); + ++ # Check that the user can modify this attachment ++ validateCanEdit($attachid); ++ + $vars->{'description'} = $description; + + if ($bugid != $cgi->param('bugid')) +@@ -424,8 +435,6 @@ + ThrowCodeError("attachment_already_obsolete", $vars); + } + +- # Check that the user can modify this attachment +- validateCanEdit($attachid); + push(@obsolete_ids, $attachid); + } + +@@ -759,28 +768,35 @@ + } + else + { +- $vars->{other_patches} = []; ++ my @other_patches = (); + if ($::interdiffbin && $::diffpath) { +- # Get list of attachments on this bug. ++ # Get the list of attachments that the user can view in this bug. ++ my @attachments = @{Bugzilla::Attachment->get_attachments_by_bug($bugid)}; ++ # Extract patches only. ++ @attachments = grep {$_->ispatch == 1} @attachments; ++ # We want them sorted from newer to older. ++ @attachments = sort { $b->id <=> $a->id } @attachments; ++ + # Ignore the current patch, but select the one right before it + # chronologically. +- SendSQL("SELECT attach_id, description FROM attachments WHERE bug_id = $bugid AND ispatch = 1 ORDER BY creation_ts DESC"); + my $select_next_patch = 0; +- while (my ($other_id, $other_desc) = FetchSQLData()) { +- if ($other_id eq $attach_id) { +- $select_next_patch = 1; +- } else { +- push @{$vars->{other_patches}}, { id => $other_id, desc => $other_desc, selected => $select_next_patch }; +- if ($select_next_patch) { +- $select_next_patch = 0; ++ foreach my $attach (@attachments) { ++ if ($attach->id == $attach_id) { ++ $select_next_patch = 1; ++ } ++ else { ++ push(@other_patches, { 'id' => $attach->id, ++ 'desc' => $attach->description, ++ 'selected' => $select_next_patch }); ++ $select_next_patch = 0; + } +- } + } + } + + $vars->{bugid} = $bugid; + $vars->{attachid} = $attach_id; + $vars->{description} = $description; ++ $vars->{other_patches} = \@other_patches; + setup_template_patch_reader($last_reader, $format, $context); + # Actually print out the patch + $reader->iterate_string("Attachment $attach_id", $thedata); +@@ -795,37 +811,10 @@ + my $bugid = $cgi->param('bugid'); + ValidateBugID($bugid); + +- # Retrieve the attachments from the database and write them into an array +- # of hashes where each hash represents one attachment. +- my $privacy = ""; +- my $dbh = Bugzilla->dbh; +- +- if (Param("insidergroup") && !(UserInGroup(Param("insidergroup")))) { +- $privacy = "AND isprivate < 1 "; ++ my $attachments = Bugzilla::Attachment->get_attachments_by_bug($bugid); ++ foreach my $a (@$attachments) { ++ $a->{'isviewable'} = isViewable($a->contenttype); + } +- SendSQL("SELECT attach_id, " . +- $dbh->sql_date_format('creation_ts', '%Y.%m.%d %H:%i') . ", +- mimetype, description, ispatch, isobsolete, isprivate, +- LENGTH(thedata) +- FROM attachments +- INNER JOIN attach_data +- ON attach_id = id +- WHERE bug_id = $bugid $privacy +- ORDER BY attach_id"); +- my @attachments; # the attachments array +- while (MoreSQLData()) +- { +- my %a; # the attachment hash +- ($a{'attachid'}, $a{'date'}, $a{'contenttype'}, +- $a{'description'}, $a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'}, +- $a{'datasize'}) = FetchSQLData(); +- $a{'isviewable'} = isViewable($a{'contenttype'}); +- $a{'flags'} = Bugzilla::Flag::match({ 'attach_id' => $a{'attachid'}, +- 'is_active' => 1 }); +- +- # Add the hash representing the attachment to the array of attachments. +- push @attachments, \%a; +- } + + # Retrieve the bug summary (for displaying on screen) and assignee. + SendSQL("SELECT short_desc, assigned_to FROM bugs " . +@@ -834,7 +823,7 @@ + + # Define the variables and functions that will be passed to the UI template. + $vars->{'bugid'} = $bugid; +- $vars->{'attachments'} = \@attachments; ++ $vars->{'attachments'} = $attachments; + $vars->{'bugassignee_id'} = $assignee_id; + $vars->{'bugsummary'} = $bugsummary; + $vars->{'GetBugLink'} = \&GetBugLink; +@@ -922,8 +911,9 @@ + validateIsPatch(); + validateDescription(); + +- if (($attachurl =~ /^(http|https|ftp):\/\/\S+/) +- && !(defined $cgi->upload('data'))) { ++ if (Param('allow_attach_url') ++ && ($attachurl =~ /^(http|https|ftp):\/\/\S+/) ++ && !defined $cgi->upload('data')) { + $filename = ''; + $data = $attachurl; + $isurl = 1; +@@ -1125,9 +1115,9 @@ + # Retrieve a list of attachments for this bug as well as a summary of the bug + # to use in a navigation bar across the top of the screen. + my $bugattachments = +- $dbh->selectcol_arrayref('SELECT attach_id FROM attachments +- WHERE bug_id = ? ORDER BY attach_id', +- undef, $attachment->bug_id); ++ Bugzilla::Attachment->get_attachments_by_bug($attachment->bug_id); ++ # We only want attachment IDs. ++ @$bugattachments = map { $_->id } @$bugattachments; + + my ($bugsummary, $product_id, $component_id) = + $dbh->selectrow_array('SELECT short_desc, product_id, component_id +@@ -1171,7 +1161,8 @@ + sub update + { + my $dbh = Bugzilla->dbh; +- my $userid = Bugzilla->user->id; ++ my $user = Bugzilla->user; ++ my $userid = $user->id; + + # Retrieve and validate parameters + ValidateComment(scalar $cgi->param('comment')); +@@ -1184,6 +1175,19 @@ + validateIsObsolete(); + validatePrivate(); + ++ # If the submitter of the attachment is not in the insidergroup, ++ # be sure that he cannot overwrite the private bit. ++ # This check must be done before calling Bugzilla::Flag*::validate(), ++ # because they will look at the private bit when checking permissions. ++ # XXX - This is a ugly hack. Ideally, we shouldn't have to look at the ++ # old private bit twice (first here, and then below again), but this is ++ # the less risky change. ++ unless ($user->is_insider) { ++ my $oldisprivate = $dbh->selectrow_array('SELECT isprivate FROM attachments ++ WHERE attach_id = ?', undef, $attach_id); ++ $cgi->param('isprivate', $oldisprivate); ++ } ++ + # The order of these function calls is important, as both Flag::validate + # and FlagType::validate assume User::match_field has ensured that the + # values in the requestee fields are legitimate user email addresses. +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/buglist.cgi bugzilla-2.22.1/buglist.cgi +--- bugzilla-2.22/buglist.cgi 2006-02-20 16:05:56.000000000 -0800 ++++ bugzilla-2.22.1/buglist.cgi 2006-08-08 18:30:53.000000000 -0700 +@@ -118,6 +118,13 @@ + Bugzilla->logout_request(); + } + ++# An agent is a program that automatically downloads and extracts data ++# on its user's behalf. If this request comes from an agent, we turn off ++# various aspects of bug list functionality so agent requests succeed ++# and coexist nicely with regular user requests. Currently the only agent ++# we know about is Firefox's microsummary feature. ++my $agent = ($cgi->http('X-Moz') && $cgi->http('X-Moz') =~ /\bmicrosummary\b/); ++ + # Determine the format in which the user would like to receive the output. + # Uses the default format if the user did not specify an output format; + # otherwise validates the user's choice against the list of available formats. +@@ -139,8 +146,9 @@ + && $ENV{'HTTP_USER_AGENT'} =~ /Mozilla.[3-9]/ + && $ENV{'HTTP_USER_AGENT'} !~ /[Cc]ompatible/ + && $ENV{'HTTP_USER_AGENT'} !~ /WebKit/ +- && !defined($cgi->param('serverpush')) +- || $cgi->param('serverpush'); ++ && !$agent ++ && !defined($cgi->param('serverpush')) ++ || $cgi->param('serverpush'); + + my $order = $cgi->param('order') || ""; + my $order_from_cookie = 0; # True if $order set using the LASTORDER cookie +@@ -667,7 +675,7 @@ + push (@selectcolumns,"product"); + } + +-# remaining and actual_time are required for precentage_complete calculation: ++# remaining and actual_time are required for percentage_complete calculation: + if (lsearch(\@displaycolumns, "percentage_complete") >= 0) { + push (@selectcolumns, "remaining_time"); + push (@selectcolumns, "actual_time"); +@@ -811,7 +819,7 @@ + # LASTORDER cookies (or bookmarks) may contain full names. + # Convert them to an ID here. + if ($fragment =~ / AS (\w+)/) { +- $fragment = $columns->{$1}->{'id'}; ++ $fragment = $1; + } + + $fragment =~ tr/a-zA-Z\.0-9\-_//cd; +@@ -1083,7 +1091,7 @@ + my $contenttype; + my $disp = "inline"; + +-if ($format->{'extension'} eq "html") { ++if ($format->{'extension'} eq "html" && !$agent) { + if ($order) { + $cgi->send_cookie(-name => 'LASTORDER', + -value => $order, +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Attachment.pm bugzilla-2.22.1/Bugzilla/Attachment.pm +--- bugzilla-2.22/Bugzilla/Attachment.pm 2006-01-09 12:38:57.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/Attachment.pm 2006-10-14 14:07:19.000000000 -0700 +@@ -396,7 +396,8 @@ + + =item C + +-Description: retrieves and returns the attachments for the given bug. ++Description: retrieves and returns the attachments the currently logged in ++ user can view for the given bug. + + Params: C<$bug_id> - integer - the ID of the bug for which + to retrieve and return attachments. +@@ -409,10 +410,22 @@ + + sub get_attachments_by_bug { + my ($class, $bug_id) = @_; +- my $attach_ids = Bugzilla->dbh->selectcol_arrayref("SELECT attach_id +- FROM attachments +- WHERE bug_id = ?", +- undef, $bug_id); ++ my $user = Bugzilla->user; ++ my $dbh = Bugzilla->dbh; ++ ++ # By default, private attachments are not accessible, unless the user ++ # is in the insider group or submitted the attachment. ++ my $and_restriction = ''; ++ my @values = ($bug_id); ++ ++ unless ($user->is_insider) { ++ $and_restriction = 'AND (isprivate = 0 OR submitter_id = ?)'; ++ push(@values, $user->id); ++ } ++ ++ my $attach_ids = $dbh->selectcol_arrayref("SELECT attach_id FROM attachments ++ WHERE bug_id = ? $and_restriction", ++ undef, @values); + my $attachments = Bugzilla::Attachment->get_list($attach_ids); + return $attachments; + } +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/BugMail.pm bugzilla-2.22.1/Bugzilla/BugMail.pm +--- bugzilla-2.22/Bugzilla/BugMail.pm 2006-01-07 08:16:53.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/BugMail.pm 2006-09-22 16:00:32.000000000 -0700 +@@ -426,7 +426,8 @@ + $relationship, + $diffs, + $newcomments, +- $changer)) ++ $changer, ++ !$start)) + { + push(@rels_which_want, $relationship); + } +@@ -641,7 +642,8 @@ + $headers = new Mail::Header \@header_lines, Modify => 0; + } + +- my $from = $headers->get('from'); ++ # Use trim to remove any whitespace (incl. newlines) ++ my $from = trim($headers->get('from')); + + if (Param("mail_delivery_method") eq "sendmail" && $^O =~ /MSWin32/i) { + my $cmd = '|' . SENDMAIL_EXE . ' -t -i'; +@@ -782,6 +784,7 @@ + $head->mime_attr('Content-Type.charset' => 'UTF-8'); + } + ++ $head->mime_attr('MIME-Version' => '1.0'); + $head->fold(75); + return $entity; + } +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Bug.pm bugzilla-2.22.1/Bugzilla/Bug.pm +--- bugzilla-2.22/Bugzilla/Bug.pm 2006-04-12 15:57:53.000000000 -0700 ++++ bugzilla-2.22.1/Bugzilla/Bug.pm 2006-08-24 14:33:19.000000000 -0700 +@@ -35,8 +35,6 @@ + @settable_resolution %components %versions %target_milestone + @enterable_products %milestoneurl %prodmaxvotes); + +-use CGI::Carp qw(fatalsToBrowser); +- + use Bugzilla::Attachment; + use Bugzilla::BugMail; + use Bugzilla::Config; +@@ -262,11 +260,15 @@ + # - longdescs + # - votes + ++ # Also, the attach_data table uses attachments.attach_id as a foreign ++ # key, and so indirectly depends on a bug deletion too. ++ + $dbh->bz_lock_tables('attachments WRITE', 'bug_group_map WRITE', + 'bugs WRITE', 'bugs_activity WRITE', 'cc WRITE', + 'dependencies WRITE', 'duplicates WRITE', + 'flags WRITE', 'keywords WRITE', +- 'longdescs WRITE', 'votes WRITE'); ++ 'longdescs WRITE', 'votes WRITE', ++ 'attach_data WRITE'); + + $dbh->do("DELETE FROM bug_group_map WHERE bug_id = ?", undef, $bug_id); + $dbh->do("DELETE FROM bugs_activity WHERE bug_id = ?", undef, $bug_id); +@@ -279,6 +281,17 @@ + $dbh->do("DELETE FROM keywords WHERE bug_id = ?", undef, $bug_id); + $dbh->do("DELETE FROM longdescs WHERE bug_id = ?", undef, $bug_id); + $dbh->do("DELETE FROM votes WHERE bug_id = ?", undef, $bug_id); ++ ++ # The attach_data table doesn't depend on bugs.bug_id directly. ++ my $attach_ids = ++ $dbh->selectcol_arrayref("SELECT attach_id FROM attachments ++ WHERE bug_id = ?", undef, $bug_id); ++ ++ if (scalar(@$attach_ids)) { ++ $dbh->do("DELETE FROM attach_data WHERE id IN (" . ++ join(",", @$attach_ids) . ")"); ++ } ++ + # Several of the previous tables also depend on attach_id. + $dbh->do("DELETE FROM attachments WHERE bug_id = ?", undef, $bug_id); + $dbh->do("DELETE FROM bugs WHERE bug_id = ?", undef, $bug_id); +@@ -1305,7 +1318,10 @@ + + $attr =~ s/.*:://; + return unless $attr=~ /[^A-Z]/; +- confess ("invalid bug attribute $attr") unless $ok_field{$attr}; ++ if (!$ok_field{$attr}) { ++ require Carp; ++ Carp::confess("invalid bug attribute $attr"); ++ } + + no strict 'refs'; + *$AUTOLOAD = sub { +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/CGI.pm bugzilla-2.22.1/Bugzilla/CGI.pm +--- bugzilla-2.22/Bugzilla/CGI.pm 2006-03-30 14:23:07.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/CGI.pm 2006-07-25 16:23:49.000000000 -0700 +@@ -36,7 +36,6 @@ + use CGI qw(-no_xhtml -oldstyle_urls :private_tempfiles :unique_headers SERVER_PUSH); + + use base qw(CGI); +-use CGI::Carp qw(fatalsToBrowser); + + use Bugzilla::Error; + use Bugzilla::Util; +@@ -57,6 +56,11 @@ + + my $self = $class->SUPER::new(@args); + ++ # This happens here so that command-line scripts don't spit out ++ # their errors in HTML format. ++ require CGI::Carp; ++ import CGI::Carp qw(fatalsToBrowser); ++ + # Make sure our outgoing cookie list is empty on each invocation + $self->{Bugzilla_cookie_list} = []; + +@@ -148,7 +152,7 @@ + # Note: CGI.pm::multipart_init up to v3.04 explicitly set nph to 0 + # CGI.pm::multipart_init v3.05 explicitly sets nph to 1 + # CGI.pm's header() sets nph according to a param or $CGI::NPH, which +- # is the desired behavour. ++ # is the desired behaviour. + + # Allow multiple calls to $cgi->header() + $CGI::HEADERS_ONCE = 0; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Config/Common.pm bugzilla-2.22.1/Bugzilla/Config/Common.pm +--- bugzilla-2.22/Bugzilla/Config/Common.pm 2006-02-22 17:46:45.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/Config/Common.pm 2006-06-19 07:43:41.000000000 -0700 +@@ -227,7 +227,7 @@ + # Note that if we changed the netmask from anything apart from 32, then + # existing logincookies which aren't for a single IP won't work + # any more. We can't know which ones they are, though, so they'll just +- # take space until they're preiodically cleared, later. ++ # take space until they're periodically cleared, later. + + return ""; + } +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Config.pm bugzilla-2.22.1/Bugzilla/Config.pm +--- bugzilla-2.22/Bugzilla/Config.pm 2006-04-22 19:45:09.000000000 -0700 ++++ bugzilla-2.22.1/Bugzilla/Config.pm 2006-10-15 01:32:58.000000000 -0700 +@@ -93,7 +93,7 @@ + Exporter::export_ok_tags('admin', 'db', 'locations', 'params'); + + # Bugzilla version +-$Bugzilla::Config::VERSION = "2.22"; ++$Bugzilla::Config::VERSION = "2.22.1"; + + use Safe; + +@@ -205,11 +205,11 @@ + sub UpdateParams { + # --- PARAM CONVERSION CODE --- + +- # Note that this isn't particuarly 'clean' in terms of separating ++ # Note that this isn't particularly 'clean' in terms of separating + # the backend code (ie this) from the actual params. + # We don't care about that, though + +- # Old bugzilla versions stored the version number in the params file ++ # Old Bugzilla versions stored the version number in the params file + # We don't want it, so get rid of it + delete $param{'version'}; + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Constants.pm bugzilla-2.22.1/Bugzilla/Constants.pm +--- bugzilla-2.22/Bugzilla/Constants.pm 2006-02-20 16:05:57.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/Constants.pm 2006-10-14 13:30:54.000000000 -0700 +@@ -91,6 +91,8 @@ + ADMIN_GROUP_NAME + + SENDMAIL_EXE ++ ++ SAFE_PROTOCOLS + ); + + @Bugzilla::Constants::EXPORT_OK = qw(contenttypes); +@@ -243,4 +245,9 @@ + # Path to sendmail.exe (Windows only) + use constant SENDMAIL_EXE => '/usr/lib/sendmail.exe'; + ++# Protocols which are considered as safe. ++use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https', ++ 'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet', ++ 'view-source', 'wais'); ++ + 1; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/DB/Mysql.pm bugzilla-2.22.1/Bugzilla/DB/Mysql.pm +--- bugzilla-2.22/Bugzilla/DB/Mysql.pm 2005-12-29 14:27:26.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/DB/Mysql.pm 2006-06-19 08:00:35.000000000 -0700 +@@ -214,7 +214,7 @@ + } + } + +-# As Bugzilla currently runs on MyISAM storage, which does not supprt ++# As Bugzilla currently runs on MyISAM storage, which does not support + # transactions, these functions die when called. + # Maybe we should just ignore these calls for now, but as we are not + # using transactions in MySQL yet, this just hints the developers. +@@ -273,7 +273,7 @@ + # http://bugs.mysql.com/bug.php?id=13535 + # This is a workaround, a dummy SELECT to reset the LAST_INSERT_ID. + my @tables = $self->bz_table_list_real(); +- if (lsearch(\@tables, 'bugs') != -1 ++ if (grep($_ eq 'bugs', @tables) + && $self->bz_column_info_real("bugs", "bug_id")) + { + $self->do('SELECT 1 FROM bugs WHERE bug_id IS NULL'); +@@ -294,9 +294,9 @@ + # has existed at least since Bugzilla 2.8, and probably earlier. + # For fixing the inconsistent naming of Schema indexes, + # we also check for one of those inconsistently-named indexes. +- if ( scalar(@tables) && +- ($self->bz_index_info_real('bugs', 'assigned_to') || +- $self->bz_index_info_real('flags', 'flags_bidattid_idx')) ) ++ if (grep($_ eq 'bugs', @tables) ++ && ($self->bz_index_info_real('bugs', 'assigned_to') ++ || $self->bz_index_info_real('flags', 'flags_bidattid_idx')) ) + { + + # This is a check unrelated to the indexes, to see if people are +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/DB/Schema/Mysql.pm bugzilla-2.22.1/Bugzilla/DB/Schema/Mysql.pm +--- bugzilla-2.22/Bugzilla/DB/Schema/Mysql.pm 2005-12-18 10:53:00.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/DB/Schema/Mysql.pm 2006-06-19 07:57:14.000000000 -0700 +@@ -245,7 +245,7 @@ + if (defined $column_info->{COLUMN_DEF}) { + # The defaults that MySQL inputs automatically are usually + # something that would be considered "false" by perl, either +- # a 0 or an empty string. (Except for ddatetime and decimal ++ # a 0 or an empty string. (Except for datetime and decimal + # fields, which have their own special auto-defaults.) + # + # Here's how we handle this: If it exists in the schema +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/DB/Schema.pm bugzilla-2.22.1/Bugzilla/DB/Schema.pm +--- bugzilla-2.22/Bugzilla/DB/Schema.pm 2006-01-06 06:38:42.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/DB/Schema.pm 2006-06-19 11:17:38.000000000 -0700 +@@ -1046,7 +1046,7 @@ + =head1 METHODS + + Note: Methods which can be implemented generically for all DBs are +-implemented in this module. If needed, they can be overriden with ++implemented in this module. If needed, they can be overridden with + DB-specific code in a subclass. Methods which are prefixed with C<_> + are considered protected. Subclasses may override these methods, but + other modules should not invoke these methods directly. +@@ -1155,7 +1155,7 @@ + # Loop over each table in the abstract database schema. + foreach my $table (keys %{ $self->{schema} }) { + my %fields = (@{ $self->{schema}{$table}{FIELDS} }); +- # Loop over the field defintions in each table. ++ # Loop over the field definitions in each table. + foreach my $field_def (values %fields) { + # If the field type is an abstract data type defined in the + # $db_specific hash, replace it with the DBMS-specific data type +@@ -2106,7 +2106,7 @@ + + Database-specific subclasses should define the implementation for these data + types as a hash reference stored internally in the schema object as +-C. This is typically done in overriden L<_initialize> method. ++C. This is typically done in overridden L<_initialize> method. + + The following abstract boolean values should also be defined on a + database-specific basis: +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/DB.pm bugzilla-2.22.1/Bugzilla/DB.pm +--- bugzilla-2.22/Bugzilla/DB.pm 2006-01-04 16:16:20.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/DB.pm 2006-06-19 07:14:58.000000000 -0700 +@@ -64,7 +64,7 @@ + + # All this code is backwards compat fu. As such, its a bit ugly. Note the + # circular dependencies on Bugzilla.pm +-# This is old cruft which will be removed, so theres not much use in ++# This is old cruft which will be removed, so there's not much use in + # having a separate package for it, or otherwise trying to avoid the circular + # dependency + +@@ -196,7 +196,7 @@ + sql_date_format sql_interval + bz_lock_tables bz_unlock_tables); + +-# This overriden import method will check implementation of inherited classes ++# This overridden import method will check implementation of inherited classes + # for missing implementation of abstract methods + # See http://perlmonks.thepen.com/44265.html + sub import { +@@ -336,7 +336,7 @@ + } + } + +-# The defauly implementation just returns what you passed-in. This function ++# The default implementation just returns what you passed-in. This function + # really exists just to be overridden in Bugzilla::DB::Mysql. + sub bz_enum_initial_values { + my ($self, $enum_defaults) = @_; +@@ -631,7 +631,7 @@ + # + # Description: A protected method, intended for use only by Bugzilla::DB + # and subclasses. Used to get the initial Schema that will +-# be wirtten to disk for _bz_init_schema_storage. You probably ++# be written to disk for _bz_init_schema_storage. You probably + # want to use _bz_schema or _bz_real_schema instead of this + # method. + # Params: none +@@ -1074,7 +1074,7 @@ + =head1 ABSTRACT METHODS + + Note: Methods which can be implemented generically for all DBs are implemented in +-this module. If needed, they can be overriden with DB specific code. ++this module. If needed, they can be overridden with DB specific code. + Methods which do not have standard implementation are abstract and must + be implemented for all supported databases separately. + To avoid confusion with standard DBI methods, all methods returning string with +@@ -1085,7 +1085,7 @@ + =item C + + Description: Constructor +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $user = username used to log in to the database + $pass = password used to log in to the database + $host = host running the database we are connecting to +@@ -1104,7 +1104,7 @@ + Description: Outputs SQL regular expression operator for POSIX regex + searches (case insensitive) in format suitable for a given + database. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $expr = SQL expression for the text to be searched (scalar) + $pattern = the regular expression to search for (scalar) + Returns: formatted SQL for regular expression search (e.g. REGEXP) +@@ -1115,7 +1115,7 @@ + Description: Outputs SQL regular expression operator for negative POSIX + regex searches (case insensitive) in format suitable for a given + database. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $expr = SQL expression for the text to be searched (scalar) + $pattern = the regular expression to search for (scalar) + Returns: formatted SQL for negative regular expression search +@@ -1125,7 +1125,7 @@ + + Description: Returns SQL syntax for limiting results to some number of rows + with optional offset if not starting from the begining. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $limit = number of rows to return from query (scalar) + $offset = number of rows to skip prior counting (scalar) + Returns: formatted SQL for limiting number of rows returned from query +@@ -1134,21 +1134,21 @@ + =item C + + Description: Outputs SQL syntax for converting Julian days to date. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $days = days to convert to date + Returns: formatted SQL for returning Julian days in dates. (scalar) + + =item C + + Description: Outputs SQL syntax for converting date to Julian days. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $date = date to convert to days + Returns: formatted SQL for returning date fields in Julian days. (scalar) + + =item C + + Description: Outputs SQL syntax for formatting dates. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $date = date or name of date type column (scalar) + $format = format string for date output (scalar) + (%Y = year, four digits, %y = year, two digits, %m = month, +@@ -1159,7 +1159,7 @@ + =item C + + Description: Outputs proper SQL syntax for a time interval function. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $interval - the time interval requested (e.g. '30') (integer) + $units - the units the interval is in (e.g. 'MINUTE') (string) + Returns: formatted SQL for interval function (scalar) +@@ -1241,7 +1241,7 @@ + Description: Performs a table lock operation on specified tables. + If the underlying database supports transactions, it should also + implicitly start a new transaction. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: @tables = list of names of tables to lock in MySQL + notation (ex. 'bugs AS bugs2 READ', 'logincookies WRITE') + Returns: none +@@ -1254,7 +1254,7 @@ + Also, this function should allow to be called with the abort flag + set even without locking tables first without raising an error + to simplify error handling. +- Abstract method, should be overriden by database specific code. ++ Abstract method, should be overridden by database specific code. + Params: $abort = UNLOCK_ABORT (true, 1) if the operation on locked tables + failed (if transactions are supported, the action will be rolled + back). False (0) or no param if the operation succeeded. +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Flag.pm bugzilla-2.22.1/Bugzilla/Flag.pm +--- bugzilla-2.22/Bugzilla/Flag.pm 2006-04-04 14:55:37.000000000 -0700 ++++ bugzilla-2.22.1/Bugzilla/Flag.pm 2006-06-02 16:00:55.000000000 -0700 +@@ -823,8 +823,8 @@ + # Get a list of active flag types available for this target. + my $flag_types = Bugzilla::FlagType::match( + { 'target_type' => $target->{'type'}, +- 'product_id' => $target->{'product_id'}, +- 'component_id' => $target->{'component_id'}, ++ 'product_id' => $target->{'bug'}->{'product_id'}, ++ 'component_id' => $target->{'bug'}->{'component_id'}, + 'is_active' => 1 }); + + my @flags; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/FlagType.pm bugzilla-2.22.1/Bugzilla/FlagType.pm +--- bugzilla-2.22/Bugzilla/FlagType.pm 2005-10-18 10:45:48.000000000 -0700 ++++ bugzilla-2.22.1/Bugzilla/FlagType.pm 2006-08-24 14:49:38.000000000 -0700 +@@ -344,15 +344,6 @@ + # this bug/attachment. This check will be done later when + # processing new flags, see Flag::FormToNewFlags(). + +- # All flag types have to be active +- my $inactive_flagtypes = +- $dbh->selectrow_array("SELECT 1 FROM flagtypes +- WHERE id IN (" . join(',', @ids) . ") +- AND is_active = 0 " . +- $dbh->sql_limit(1)); +- +- ThrowCodeError("flag_type_inactive") if $inactive_flagtypes; +- + foreach my $id (@ids) { + my $status = $cgi->param("flag_type-$id"); + my @requestees = $cgi->param("requestee_type-$id"); +@@ -365,6 +356,10 @@ + $flag_type + || ThrowCodeError("flag_type_nonexistent", { id => $id }); + ++ # Make sure the flag type is active. ++ $flag_type->{'is_active'} ++ || ThrowCodeError('flag_type_inactive', {'type' => $flag_type->{'name'}}); ++ + # Make sure the value of the field is a valid status. + grep($status eq $_, qw(X + - ?)) + || ThrowCodeError("flag_status_invalid", +@@ -541,26 +536,21 @@ + + # Add inclusions to the query, which simply involves joining the table + # by flag type ID and target product/component. +- push(@$tables, "INNER JOIN flaginclusions ON " . +- "flagtypes.id = flaginclusions.type_id"); +- push(@criteria, "(flaginclusions.product_id = $product_id " . +- " OR flaginclusions.product_id IS NULL)"); +- push(@criteria, "(flaginclusions.component_id = $component_id " . +- " OR flaginclusions.component_id IS NULL)"); ++ push(@$tables, "INNER JOIN flaginclusions AS i ON flagtypes.id = i.type_id"); ++ push(@criteria, "(i.product_id = $product_id OR i.product_id IS NULL)"); ++ push(@criteria, "(i.component_id = $component_id OR i.component_id IS NULL)"); + + # Add exclusions to the query, which is more complicated. First of all, + # we do a LEFT JOIN so we don't miss flag types with no exclusions. + # Then, as with inclusions, we join on flag type ID and target product/ + # component. However, since we want flag types that *aren't* on the +- # exclusions list, we add a WHERE criteria to use only records with +- # NULL exclusion type, i.e. without any exclusions. +- my $join_clause = "flagtypes.id = flagexclusions.type_id " . +- "AND (flagexclusions.product_id = $product_id " . +- "OR flagexclusions.product_id IS NULL) " . +- "AND (flagexclusions.component_id = $component_id " . +- "OR flagexclusions.component_id IS NULL)"; +- push(@$tables, "LEFT JOIN flagexclusions ON ($join_clause)"); +- push(@criteria, "flagexclusions.type_id IS NULL"); ++ # exclusions list, we add a WHERE criteria to use only records with ++ # NULL exclusion type, i.e. without any exclusions. ++ my $join_clause = "flagtypes.id = e.type_id " . ++ "AND (e.product_id = $product_id OR e.product_id IS NULL) " . ++ "AND (e.component_id = $component_id OR e.component_id IS NULL)"; ++ push(@$tables, "LEFT JOIN flagexclusions AS e ON ($join_clause)"); ++ push(@criteria, "e.type_id IS NULL"); + } + if ($criteria->{group}) { + my $gid = $criteria->{group}; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Search/Quicksearch.pm bugzilla-2.22.1/Bugzilla/Search/Quicksearch.pm +--- bugzilla-2.22/Bugzilla/Search/Quicksearch.pm 2005-08-26 16:11:31.000000000 -0700 ++++ bugzilla-2.22.1/Bugzilla/Search/Quicksearch.pm 2006-07-25 16:25:14.000000000 -0700 +@@ -23,9 +23,9 @@ + # Make it harder for us to do dangerous things in Perl. + use strict; + +-use Bugzilla; + use Bugzilla::Config; + use Bugzilla::Error; ++use Bugzilla::Util; + + use base qw(Exporter); + @Bugzilla::Search::Quicksearch::EXPORT = qw(quicksearch); +@@ -103,6 +103,7 @@ + + sub quicksearch { + my ($searchstring) = (@_); ++ my $urlbase = correct_urlbase(); + + # Remove leading and trailing commas and whitespace. + $searchstring =~ s/(^[\s,]+|[\s,]+$)//g; +@@ -116,8 +117,7 @@ + + if (index($searchstring, ',') < $[) { + # Single bug number; shortcut to show_bug.cgi. +- print $cgi->redirect(-uri => Param('urlbase') . +- "show_bug.cgi?id=$searchstring"); ++ print $cgi->redirect(-uri => "${urlbase}show_bug.cgi?id=$searchstring"); + exit; + } + else { +@@ -136,8 +136,7 @@ + WHERE alias = ?}, + undef, + $1)) { +- print $cgi->redirect(-uri => Param('urlbase') . +- "show_bug.cgi?id=$1"); ++ print $cgi->redirect(-uri => "${urlbase}show_bug.cgi?id=$1"); + exit; + } + } +@@ -379,8 +378,7 @@ + + if ($cgi->param('load')) { + # Param 'load' asks us to display the query in the advanced search form. +- print $cgi->redirect(-uri => Param('urlbase') . "query.cgi?" . +- "format=advanced&" . ++ print $cgi->redirect(-uri => "${urlbase}query.cgi?format=advanced&" . + $modified_query_string); + } + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Search.pm bugzilla-2.22.1/Bugzilla/Search.pm +--- bugzilla-2.22/Bugzilla/Search.pm 2006-03-08 13:59:46.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/Search.pm 2006-08-21 12:05:29.000000000 -0700 +@@ -61,7 +61,7 @@ + + # When we add certain fields to the ORDER BY, we need to then add a + # table join to the FROM statement. This hash maps input fields to +-# the join statements that ned to be added. ++# the join statements that need to be added. + our %specialorderjoin = ( + 'bugs.target_milestone' => 'LEFT JOIN milestones AS ms_order ON ms_order.value = bugs.target_milestone AND ms_order.product_id = bugs.product_id', + 'bugs.bug_status' => 'LEFT JOIN bug_status ON bug_status.value = bugs.bug_status', +@@ -186,12 +186,12 @@ + $params->delete('bug_status'); + } + elsif ($bug_statuses[0] eq '__open__') { +- $params->param('bug_status', map(&::IsOpenedState($_) ? $_ : undef, +- @::legal_bug_status)); ++ $params->param('bug_status', grep(&::IsOpenedState($_), ++ @::legal_bug_status)); + } + elsif ($bug_statuses[0] eq "__closed__") { +- $params->param('bug_status', map(&::IsOpenedState($_) ? undef : $_, +- @::legal_bug_status)); ++ $params->param('bug_status', grep(! &::IsOpenedState($_), ++ @::legal_bug_status)); + } + } + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Template.pm bugzilla-2.22.1/Bugzilla/Template.pm +--- bugzilla-2.22/Bugzilla/Template.pm 2006-01-22 13:37:37.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/Template.pm 2006-10-14 13:30:54.000000000 -0700 +@@ -130,8 +130,8 @@ + my @usedlanguages; + foreach my $lang (@accept_language) { + # Per RFC 1766 and RFC 2616 any language tag matches also its +- # primary tag. That is 'en' (accept lanuage) matches 'en-us', +- # 'en-uk' etc. but not the otherway round. (This is unfortunally ++ # primary tag. That is 'en' (accept language) matches 'en-us', ++ # 'en-uk' etc. but not the otherway round. (This is unfortunately + # not very clearly stated in those RFC; see comment just over 14.5 + # in http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.4) + if(my @found = grep /^\Q$lang\E(-.+)?$/i, @languages) { +@@ -498,7 +498,9 @@ + } + return $var; + }, +- ++ ++ html_light => \&Bugzilla::Util::html_light_quote, ++ + # iCalendar contentline filter + ics => [ sub { + my ($context, @args) = @_; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Token.pm bugzilla-2.22.1/Bugzilla/Token.pm +--- bugzilla-2.22/Bugzilla/Token.pm 2006-01-03 06:45:02.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/Token.pm 2006-10-14 15:05:55.000000000 -0700 +@@ -18,6 +18,7 @@ + # Rights Reserved. + # + # Contributor(s): Myk Melez ++# Frédéric Buclin + + ################################################################################ + # Module Initialization +@@ -36,6 +37,11 @@ + + use Date::Format; + use Date::Parse; ++use File::Basename; ++ ++use base qw(Exporter); ++ ++@Bugzilla::Token::EXPORT = qw(issue_session_token check_token_data delete_token); + + # This module requires that its caller have said "require globals.pl" to import + # relevant functions from that script. +@@ -132,7 +138,7 @@ + Bugzilla::BugMail::MessageToMTA($message); + } + +-sub IssueSessionToken { ++sub issue_session_token { + # Generates a random token, adds it to the tokens table, and returns + # the token to the caller. + +@@ -223,7 +229,7 @@ + Bugzilla::BugMail::MessageToMTA($message); + + # Delete the token from the database. +- DeleteToken($token); ++ delete_token($token); + } + + sub DeletePasswordTokens { +@@ -258,6 +264,7 @@ + + my ($token) = @_; + return unless defined $token; ++ $token = clean_text($token); + trick_taint($token); + + my $dbh = Bugzilla->dbh; +@@ -267,7 +274,7 @@ + WHERE token = ?", undef, $token); + } + +-sub DeleteToken { ++sub delete_token { + # Deletes specified token + + my ($token) = @_; +@@ -280,6 +287,50 @@ + $dbh->bz_unlock_tables(); + } + ++# Given a token, makes sure it comes from the currently logged in user ++# and match the expected event. Returns 1 on success, else displays a warning. ++# Note: this routine must not be called while tables are locked as it will try ++# to lock some tables itself, see CleanTokenTable(). ++sub check_token_data { ++ my ($token, $expected_action) = @_; ++ my $user = Bugzilla->user; ++ my $template = Bugzilla->template; ++ my $cgi = Bugzilla->cgi; ++ ++ my ($creator_id, $date, $token_action) = GetTokenData($token); ++ unless ($creator_id ++ && $creator_id == $user->id ++ && $token_action eq $expected_action) ++ { ++ # Something is going wrong. Ask confirmation before processing. ++ # It is possible that someone tried to trick an administrator. ++ # In this case, we want to know his name! ++ require Bugzilla::User; ++ ++ my $vars = {}; ++ $vars->{'abuser'} = Bugzilla::User->new($creator_id)->identity; ++ $vars->{'token_action'} = $token_action; ++ $vars->{'expected_action'} = $expected_action; ++ $vars->{'script_name'} = basename($0); ++ ++ # Now is a good time to remove old tokens from the DB. ++ CleanTokenTable(); ++ ++ # If no token was found, create a valid token for the given action. ++ unless ($creator_id) { ++ $token = issue_session_token($expected_action); ++ $cgi->param('token', $token); ++ } ++ ++ print $cgi->header(); ++ ++ $template->process('admin/confirm-action.html.tmpl', $vars) ++ || ThrowTemplateError($template->error()); ++ exit; ++ } ++ return 1; ++} ++ + ################################################################################ + # Internal Functions + ################################################################################ +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/User.pm bugzilla-2.22.1/Bugzilla/User.pm +--- bugzilla-2.22/Bugzilla/User.pm 2006-03-13 23:45:54.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/User.pm 2006-10-14 14:07:19.000000000 -0700 +@@ -1126,7 +1126,7 @@ + # Note: the "+" signs before the constants suppress bareword quoting. + sub wants_bug_mail { + my $self = shift; +- my ($bug_id, $relationship, $fieldDiffs, $commentField, $changer) = @_; ++ my ($bug_id, $relationship, $fieldDiffs, $commentField, $changer, $bug_is_new) = @_; + + # Don't send any mail, ever, if account is disabled + # XXX Temporary Compatibility Change 1 of 2: +@@ -1171,6 +1171,16 @@ + } + } + ++ # You role is new if the bug itself is. ++ # Only makes sense for the assignee, QA contact and the CC list. ++ if ($bug_is_new ++ && ($relationship == REL_ASSIGNEE ++ || $relationship == REL_QA ++ || $relationship == REL_CC)) ++ { ++ $events{+EVT_ADDED_REMOVED} = 1; ++ } ++ + if ($commentField =~ /Created an attachment \(/) { + $events{+EVT_ATTACHMENT} = 1; + } +@@ -1258,6 +1268,17 @@ + return $self->{'is_mover'}; + } + ++sub is_insider { ++ my $self = shift; ++ ++ if (!defined $self->{'is_insider'}) { ++ my $insider_group = Param('insidergroup'); ++ $self->{'is_insider'} = ++ ($insider_group && $self->in_group($insider_group)) ? 1 : 0; ++ } ++ return $self->{'is_insider'}; ++} ++ + sub get_userlist { + my $self = shift; + +@@ -1766,6 +1787,11 @@ + to another database. Note that this method doesn't check whether bug + moving is enabled. + ++=item C ++ ++Returns true if the user can access private comments and attachments, ++i.e. if the 'insidergroup' parameter is set and the user belongs to this group. ++ + =back + + =head1 CLASS FUNCTIONS +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla/Util.pm bugzilla-2.22.1/Bugzilla/Util.pm +--- bugzilla-2.22/Bugzilla/Util.pm 2006-01-08 11:56:04.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla/Util.pm 2006-10-14 13:30:54.000000000 -0700 +@@ -33,8 +33,8 @@ + @Bugzilla::Util::EXPORT = qw(is_tainted trick_taint detaint_natural + detaint_signed + html_quote url_quote value_quote xml_quote +- css_class_quote +- i_am_cgi ++ css_class_quote html_light_quote ++ i_am_cgi correct_urlbase + lsearch max min + diff_arrays diff_strings + trim wrap_comment find_wrap_point +@@ -51,7 +51,7 @@ + use Date::Format; + use Text::Wrap; + +-# This is from the perlsec page, slightly modifed to remove a warning ++# This is from the perlsec page, slightly modified to remove a warning + # From that page: + # This function makes use of the fact that the presence of + # tainted data anywhere within an expression renders the +@@ -94,6 +94,93 @@ + return $var; + } + ++sub html_light_quote { ++ my ($text) = @_; ++ ++ # List of allowed HTML elements having no attributes. ++ my @allow = qw(b strong em i u p br abbr acronym ins del cite code var ++ dfn samp kbd big small sub sup tt dd dt dl ul li ol); ++ ++ # Are HTML::Scrubber and HTML::Parser installed? ++ eval { require HTML::Scrubber; ++ require HTML::Parser; ++ }; ++ ++ # We need utf8_mode() from HTML::Parser 3.40 if running Perl >= 5.8. ++ if ($@ || ($] >= 5.008 && $HTML::Parser::VERSION < 3.40)) { # Package(s) not installed. ++ my $safe = join('|', @allow); ++ my $chr = chr(1); ++ ++ # First, escape safe elements. ++ $text =~ s#<($safe)>#$chr$1$chr#go; ++ $text =~ s##$chr/$1$chr#go; ++ # Now filter < and >. ++ $text =~ s#<#<#g; ++ $text =~ s#>#>#g; ++ # Restore safe elements. ++ $text =~ s#$chr/($safe)$chr##go; ++ $text =~ s#$chr($safe)$chr#<$1>#go; ++ return $text; ++ } ++ else { # Packages installed. ++ # We can be less restrictive. We can accept elements with attributes. ++ push(@allow, qw(a blockquote q span)); ++ ++ # Allowed protocols. ++ my $safe_protocols = join('|', SAFE_PROTOCOLS); ++ my $protocol_regexp = qr{(^(?:$safe_protocols):|^[^:]+$)}i; ++ ++ # Deny all elements and attributes unless explicitly authorized. ++ my @default = (0 => { ++ id => 1, ++ name => 1, ++ class => 1, ++ '*' => 0, # Reject all other attributes. ++ } ++ ); ++ ++ # Specific rules for allowed elements. If no specific rule is set ++ # for a given element, then the default is used. ++ my @rules = (a => { ++ href => $protocol_regexp, ++ title => 1, ++ id => 1, ++ name => 1, ++ class => 1, ++ '*' => 0, # Reject all other attributes. ++ }, ++ blockquote => { ++ cite => $protocol_regexp, ++ id => 1, ++ name => 1, ++ class => 1, ++ '*' => 0, # Reject all other attributes. ++ }, ++ 'q' => { ++ cite => $protocol_regexp, ++ id => 1, ++ name => 1, ++ class => 1, ++ '*' => 0, # Reject all other attributes. ++ }, ++ ); ++ ++ my $scrubber = HTML::Scrubber->new(default => \@default, ++ allow => \@allow, ++ rules => \@rules, ++ comment => 0, ++ process => 0); ++ ++ # Avoid filling the web server error log with Perl 5.8.x. ++ # In HTML::Scrubber 0.08, the HTML::Parser object is stored in ++ # the "_p" key, but this may change in future versions. ++ if ($] >= 5.008 && ref($scrubber->{_p}) eq 'HTML::Parser') { ++ $scrubber->{_p}->utf8_mode(1); ++ } ++ return $scrubber->scrub($text); ++ } ++} ++ + # This originally came from CGI.pm, by Lincoln D. Stein + sub url_quote { + my ($toencode) = (@_); +@@ -115,7 +202,7 @@ + $var =~ s/>/\>/g; + $var =~ s/\"/\"/g; + # See bug http://bugzilla.mozilla.org/show_bug.cgi?id=4928 for +- # explanaion of why bugzilla does this linebreak substitution. ++ # explanation of why Bugzilla does this linebreak substitution. + # This caused form submission problems in mozilla (bug 22983, 32000). + $var =~ s/\r\n/\ /g; + $var =~ s/\n\r/\ /g; +@@ -147,6 +234,20 @@ + return exists $ENV{'SERVER_SOFTWARE'} ? 1 : 0; + } + ++sub correct_urlbase { ++ return Param('urlbase') if Param('ssl') eq 'never'; ++ ++ if (Param('sslbase')) { ++ return Param('sslbase') if Param('ssl') eq 'always'; ++ # Authenticated Sessions ++ return Param('sslbase') if Bugzilla->user->id; ++ } ++ ++ # Set to "authenticated sessions" but nobody's logged in, or ++ # sslbase isn't set. ++ return Param('urlbase'); ++} ++ + sub lsearch { + my ($list,$item) = (@_); + my $count = 0; +@@ -367,6 +468,10 @@ + my ($addr) = @_; + my $match = Param('emailregexp'); + my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/); ++ if ($ret) { ++ # We assume these checks to suffice to consider the address untainted. ++ trick_taint($_[0]); ++ } + return $ret ? 1 : 0; + } + +@@ -425,6 +530,7 @@ + + # Functions that tell you about your environment + my $is_cgi = i_am_cgi(); ++ my $urlbase = correct_urlbase(); + + # Functions for searching + $loc = lsearch(\@arr, $val); +@@ -516,6 +622,12 @@ + Returns a value quoted for use in HTML, with &, E, E, and E<34> being + replaced with their appropriate HTML entities. + ++=item C ++ ++Returns a string where only explicitly allowed HTML elements and attributes ++are kept. All HTML elements and attributes not being in the whitelist are either ++escaped (if HTML::Scrubber is not installed) or removed. ++ + =item C + + Quotes characters so that they may be included as part of a url. +@@ -546,6 +658,11 @@ + server. For example, it would return false if the caller is running + in a command-line script. + ++=item C ++ ++Returns either the C or C parameter, depending on the ++current setting for the C parameter. ++ + =back + + =head2 Searching +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/Bugzilla.pm bugzilla-2.22.1/Bugzilla.pm +--- bugzilla-2.22/Bugzilla.pm 2006-02-07 14:46:28.000000000 -0800 ++++ bugzilla-2.22.1/Bugzilla.pm 2006-08-08 13:53:40.000000000 -0700 +@@ -92,7 +92,7 @@ + $vars->{'message'} = 'shutdown'; + $vars->{'userid'} = $userid; + # Generate and return a message about the downtime, appropriately +- # for if we're a command-line script or a CGI sript. ++ # for if we're a command-line script or a CGI script. + my $extension; + if (i_am_cgi() && (!Bugzilla->cgi->param('ctype') + || Bugzilla->cgi->param('ctype') eq 'html')) { +@@ -242,7 +242,7 @@ + sub batch { + my $class = shift; + my $newval = shift; +- if ($newval) { ++ if (defined $newval) { + $_batch = $newval; + } + return $_batch || 0; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/checksetup.pl bugzilla-2.22.1/checksetup.pl +--- bugzilla-2.22/checksetup.pl 2006-01-11 23:03:46.000000000 -0800 ++++ bugzilla-2.22.1/checksetup.pl 2006-10-14 13:30:53.000000000 -0700 +@@ -88,7 +88,7 @@ + # add more database-related checks --DATABASE-- + # change table definitions --TABLE-- + # add more groups --GROUPS-- +-# add user-adjustable sttings --SETTINGS-- ++# add user-adjustable settings --SETTINGS-- + # create initial administrator account --ADMIN-- + # + # Note: sometimes those special comments occur more than once. For +@@ -313,7 +313,7 @@ + }, + { + name => 'Template', +- version => '2.08' ++ version => '2.10' + }, + { + name => 'Text::Wrap', +@@ -354,6 +354,7 @@ + 'Mail::Mailer' => 'MailTools', + 'Mail::Base64' => 'MIME-Base64', + 'MIME::Tools' => 'MIME-Tools', ++ 'Template::Plugin::GD' => 'Template', + ); + + sub install_command { +@@ -378,12 +379,15 @@ + + print "\nThe following Perl modules are optional:\n" unless $silent; + my $gd = have_vers("GD","1.20"); ++my $template_gd = have_vers('Template::Plugin::GD::Image', 0); + my $chartbase = have_vers("Chart::Base","1.0"); + my $xmlparser = have_vers("XML::Twig",0); + my $gdgraph = have_vers("GD::Graph",0); + my $gdtextalign = have_vers("GD::Text::Align",0); + my $patchreader = have_vers("PatchReader","0.9.4"); + my $imagemagick = have_vers("Image::Magick",0); ++my $html_parser = have_vers("HTML::Parser", ($] >= 5.008) ? "3.40" : 0); ++my $scrubber = have_vers("HTML::Scrubber", 0); + + print "\n" unless $silent; + +@@ -416,7 +420,7 @@ + " " . install_command("Image::Magick") . "\n\n"; + + } +-if ((!$gd || !$gdgraph || !$gdtextalign) && !$silent) { ++if ((!$gd || !$gdgraph || !$gdtextalign || !$template_gd) && !$silent) { + print "If you you want to see graphical bug reports (bar, pie and line "; + print "charts of \ncurrent data), you should install libgd and the "; + print "following Perl modules:\n\n"; +@@ -425,6 +429,8 @@ + if !$gdgraph; + print "GD::Text::Align: " . install_command("GD::Text::Align") . "\n" + if !$gdtextalign; ++ print "Template::Plugin::GD: " . install_command('Template::Plugin::GD') ++ . "\n" if !$template_gd; + print "\n"; + } + if (!$patchreader && !$silent) { +@@ -432,6 +438,15 @@ + print "install the \nPatchReader module:\n"; + print "PatchReader: " . install_command("PatchReader") . "\n"; + } ++if ((!$scrubber || !$html_parser) && !$silent) { ++ print "If you want additional HTML tags within product and group "; ++ print "descriptions,\nyou should install:\n"; ++ print "HTML::Scrubber: " . install_command("HTML::Scrubber") . "\n" ++ if !$scrubber; ++ print "HTML::Parser: " . install_command("HTML::Parser") . "\n" ++ if !$html_parser; ++ print "\n"; ++} + + if (%missing) { + print "\n\n"; +@@ -721,8 +736,8 @@ + ]); + + LocalVar('db_sock', q[ +-# MySQL Only: Enter a path to the unix socket for mysql. If this is +-# blank, then mysql\'s compiled-in default will be used. You probably ++# MySQL Only: Enter a path to the unix socket for MySQL. If this is ++# blank, then MySQL's compiled-in default will be used. You probably + # want that. + $db_sock = ''; + ]); +@@ -1053,13 +1068,13 @@ + chmod $fileperm, "Bugzilla/.htaccess"; + } + # Even though $datadir may not (and should not) be in the webtree, +- # we can't know for sure, so create the .htaccess anyeay. Its harmless +- # if its not accessible... ++ # we can't know for sure, so create the .htaccess anyway. It's harmless ++ # if it's not accessible... + if (!-e "$datadir/.htaccess") { + print "Creating $datadir/.htaccess...\n"; + open HTACCESS, '>', "$datadir/.htaccess"; + print HTACCESS <<'END'; +-# nothing in this directory is retrievable unless overriden by an .htaccess ++# nothing in this directory is retrievable unless overridden by an .htaccess + # in a subdirectory; the only exception is duplicates.rdf, which is used by + # duplicates.xul and must be loadable over the web + deny from all +@@ -1075,7 +1090,7 @@ + print "Creating $templatedir/.htaccess...\n"; + open HTACCESS, '>', "$templatedir/.htaccess"; + print HTACCESS <<'END'; +-# nothing in this directory is retrievable unless overriden by an .htaccess ++# nothing in this directory is retrievable unless overridden by an .htaccess + # in a subdirectory + deny from all + END +@@ -1090,7 +1105,7 @@ + # if research.att.com ever changes their IP, or if you use a different + # webdot server, you'll need to edit this + +- Allow from 192.20.225.10 ++ Allow from 192.20.225.0/24 + Deny from all + + +@@ -1105,6 +1120,21 @@ + close HTACCESS; + chmod $fileperm, "$webdotdir/.htaccess"; + } ++ else { ++ # The public webdot IP address changed. ++ my $webdot = new IO::File("$webdotdir/.htaccess", 'r') ++ || die "$webdotdir/.htaccess: $!"; ++ my $webdot_data; ++ { local $/; $webdot_data = <$webdot>; } ++ $webdot->close; ++ if ($webdot_data =~ /192\.20\.225\.10/) { ++ print "Repairing $webdotdir/.htaccess...\n"; ++ $webdot_data =~ s/192\.20\.225\.10/192.20.225.0\/24/g; ++ $webdot = new IO::File("$webdotdir/.htaccess", 'w') || die $!; ++ print $webdot $webdot_data; ++ $webdot->close; ++ } ++ } + + } + +@@ -1546,7 +1576,7 @@ + } + + # now get a handle to the database: +-my $dbh = Bugzilla::DB::connect_main(); ++my $dbh = Bugzilla->dbh; + + END { $dbh->disconnect if $dbh } + +@@ -2231,7 +2261,8 @@ + # declared to be unique. Sure enough, somehow, I got 22 duplicated entries + # in my database. This code detects that, cleans up the duplicates, and + # then tweaks the table to declare the field to be unique. What a pain. +-if (!$dbh->bz_index_info('profiles', 'profiles_login_name_idx')->{TYPE}) { ++if (!$dbh->bz_index_info('profiles', 'profiles_login_name_idx') || ++ !$dbh->bz_index_info('profiles', 'profiles_login_name_idx')->{TYPE}) { + print "Searching for duplicate entries in the profiles table ...\n"; + while (1) { + # This code is weird in that it loops around and keeps doing this +@@ -2578,7 +2609,7 @@ + $dbh->bz_drop_column("profiles", "newemailtech"); + + +-# 2003-11-19; chicks@chicks.net; bug 225973: fix field size to accomodate ++# 2003-11-19; chicks@chicks.net; bug 225973: fix field size to accommodate + # wider algorithms such as Blowfish. Note that this needs to be run + # before recrypting passwords in the following block. + $dbh->bz_alter_column('profiles', 'cryptpassword', {TYPE => 'varchar(128)'}); +@@ -3371,7 +3402,7 @@ + + # 2002-11-24 - bugreport@peshkin.net - bug 147275 + # +-# If group_control_map is empty, backward-compatbility ++# If group_control_map is empty, backward-compatibility + # usebuggroups-equivalent records should be created. + my $entry = Param('useentrygroupdefault'); + $sth = $dbh->prepare("SELECT COUNT(*) FROM group_control_map"); +@@ -4026,8 +4057,30 @@ + # 2005-04-28 - LpSolit@gmail.com - Bug 7233: add an index to versions + $dbh->bz_alter_column('versions', 'value', + {TYPE => 'varchar(64)', NOTNULL => 1}); +-$dbh->bz_add_index('versions', 'versions_product_id_idx', +- {TYPE => 'UNIQUE', FIELDS => [qw(product_id value)]}); ++ ++# A helper for the below code ++sub _de_dup_version { ++ my ($product_id, $version) = @_; ++ my $dbh = Bugzilla->dbh; ++ print "Fixing duplicate version $version in product_id $product_id...\n"; ++ $dbh->do('DELETE FROM versions WHERE product_id = ? AND value = ?', ++ undef, $product_id, $version); ++ $dbh->do('INSERT INTO versions (product_id, value) VALUES (?,?)', ++ undef, $product_id, $version); ++} ++ ++# Versions could be duplicated, since they didn't have a UNIQUE index. ++if (!$dbh->bz_index_info('versions', 'versions_product_id_idx')) { ++ my $dup_versions = $dbh->selectall_arrayref( ++ 'SELECT product_id, value FROM versions ++ GROUP BY product_id, value HAVING COUNT(value) > 1', {Slice=>{}}); ++ foreach my $dup_version (@$dup_versions) { ++ _de_dup_version($dup_version->{product_id}, $dup_version->{value}); ++ } ++ ++ $dbh->bz_add_index('versions', 'versions_product_id_idx', ++ {TYPE => 'UNIQUE', FIELDS => [qw(product_id value)]}); ++} + + # Milestone sortkeys get a default just like all other sortkeys. + if (!exists $dbh->bz_column_info('milestones', 'sortkey')->{DEFAULT}) { +@@ -4274,7 +4327,7 @@ + # + + # +-# BugZilla uses --GROUPS-- to assign various rights to its users. ++# Bugzilla uses --GROUPS-- to assign various rights to its users. + # + + AddGroup('tweakparams', 'Can tweak operating parameters'); +@@ -4488,7 +4541,7 @@ + my $mailcheck = ""; + + # Here we look to see what the emailregexp is set to so we can +- # check the email addy they enter. Bug 96675. If they have no ++ # check the email address they enter. Bug 96675. If they have no + # params (likely but not always the case), we use the default. + if (-e "$datadir/params") { + require "$datadir/params"; # if they have a params file, use that +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/contrib/bug_email.pl bugzilla-2.22.1/contrib/bug_email.pl +--- bugzilla-2.22/contrib/bug_email.pl 2006-02-21 06:52:37.000000000 -0800 ++++ bugzilla-2.22.1/contrib/bug_email.pl 2006-06-19 09:25:16.000000000 -0700 +@@ -38,7 +38,7 @@ + # + # You need to work with bug_email.pl the MIME::Parser installed. + # +-# $Id: bug_email.pl,v 1.31.2.1 2006/02/21 14:52:37 jocuri%softhome.net Exp $ ++# $Id: bug_email.pl,v 1.31.2.6 2006/06/19 16:25:16 vladd%bugzilla.org Exp $ + ############################################################### + + # 02/12/2000 (SML) +@@ -288,7 +288,7 @@ + ############################################################### + # getEnumList + # Queries the Database for the table description and figures the +-# enum-settings out - usefull for checking fields for enums like ++# enum-settings out - useful for checking fields for enums like + # prios + sub getEnumList( $ ) + { +@@ -527,7 +527,7 @@ + ############################################################### + # generateTemplate + # +-# This functiuon generates a mail-Template with the ++# This function generates a mail-Template with the + sub generateTemplate() + { + my $w; +@@ -999,10 +999,10 @@ + + $Control{'version'} = $Version; + +-# GroupsSet: Protections for Bug info. This paramter controls the visiblility of the ++# GroupsSet: Protections for Bug info. This paramter controls the visibility of the + # given bug. An Error in the given Buggroup is not a blocker, a default is taken. + # +-# The GroupSet is accepted only as literals linked with whitespaces, plus-signs or kommas ++# The GroupSet is accepted only as literals linked with whitespaces, plus-signs or commas + # + my $GroupSet = ""; + my %GroupArr = (); +@@ -1198,7 +1198,7 @@ + Bugzilla::BugMail::Send($id) if( ! $test); + + } else { +- # There were critical errors in the mail - the bug couldnt be inserted. ! ++ # There were critical errors in the mail - the bug couldn't be inserted. ! + my $errreply = < +

+ The bugzilla Mail interface allows the registered bugzilla users to submit bugs by +-sending email with a bug description. This is usefull for people, who do not work ++sending email with a bug description. This is useful for people, who do not work + inhouse and want to submitt bugs to the bugzilla system. +

+ +@@ -148,7 +148,7 @@ +

Valid values

+ Give string values for the most keys above. Some keywords require special values:
+
    +-
  1. E-Mail adresses: If you want to set the qa-contact, specify a email-adress for @qa_contact. The email must be known by bugzilla of course.
    2. ++
  2. E-Mail addresses: If you want to set the qa-contact, specify an email-address for @qa_contact. The email must be known by bugzilla of course.
    3. +
  3. Listvalues: Most of the values have to be one of a list of valid values. Try by sending + a mail and read the reply. Skip fields if you don't get help for them unless you don't know + which values you may choose.
    4. +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/contrib/bzdbcopy.pl bugzilla-2.22.1/contrib/bzdbcopy.pl +--- bugzilla-2.22/contrib/bzdbcopy.pl 2005-07-12 00:56:16.000000000 -0700 ++++ bugzilla-2.22.1/contrib/bzdbcopy.pl 2006-04-30 16:54:37.000000000 -0700 +@@ -172,13 +172,6 @@ + print "\n\n"; + } + +-# And there's one entry in the fielddefs table that needs +-# to be manually fixed. This is a huge hack. +-my $delta_fdef = "(" . $target_db->sql_to_days('NOW()') . " - " . +- $target_db->sql_to_days('bugs.delta_ts') . ")"; +-$target_db->do(q{UPDATE fielddefs SET name = ? +- WHERE name LIKE '%bugs.delta_ts%'}, undef, $delta_fdef); +- + print "Committing changes to the target database...\n"; + $target_db->commit; + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/contrib/gnatsparse/gnatsparse.py bugzilla-2.22.1/contrib/gnatsparse/gnatsparse.py +--- bugzilla-2.22/contrib/gnatsparse/gnatsparse.py 2005-11-25 11:47:38.000000000 -0800 ++++ bugzilla-2.22.1/contrib/gnatsparse/gnatsparse.py 2006-06-19 08:58:20.000000000 -0700 +@@ -357,7 +357,7 @@ + for piece in pieces: + result = changedfromtore.search(piece) + # See what things we actually have inside this entry, and +- # handle them approriately ++ # handle them appropriately + if result is not None: + type = result.group(1) + changedfromto = result.group(2) +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/about.html bugzilla-2.22.1/docs/html/about.html +--- bugzilla-2.22/docs/html/about.html 2006-04-22 20:12:09.000000000 -0700 ++++ bugzilla-2.22.1/docs/html/about.html 2006-10-15 02:19:38.000000000 -0700 +@@ -7,11 +7,11 @@ + NAME="GENERATOR" + CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    3.11.1. Creating Groups
    3.11.2. Assigning Users to Groups
    3.11.3. Assigning Group Controls to Products
    3.11.4. Common Applications of Group Controls
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    The Bugzilla Team

    2006-04-22

    2006-10-15

    2.4. Multiple Bugzilla databases with a single installation
    2.5. OS-Specific Installation Notes
    2.5. 2.6. UNIX (non-root) Installation Notes
    B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1
    B.5. DBD::Sponge::db prepare failed
    B.6. B.5. cannot chdir(/var/spool/mqueue)
    B.7. B.6. Your vendor has not defined Fcntl macro O_NOINHERIT
    B.8. B.7. Everybody is constantly being forced to relogin
    B.9. B.8. Some users are constantly being forced to relogin
    B.10. B.9. doesn't show up unless specified in the URL
    B.11. B.10. checksetup.pl reports "Client does not support authentication protocol + requested by server..."1.3. New Versions

    This is the 2.22 version of The Bugzilla Guide. It is so named ++> This is the 2.22.1 version of The Bugzilla Guide. It is so named + to match the current version of Bugzilla. +

    Also, thanks are due to the members of the + netscape.public.mozilla.webtools mozilla.support.bugzilla +- newsgroup. Without your discussions, insight, suggestions, and patches, ++ newsgroup (and its predecessor, netscape.public.mozilla.webtools). ++ Without your discussions, insight, suggestions, and patches, + this could never have happened. +

    Section 2.4Section 2.5 + before you start your installation to see if there are any special + instructions. +@@ -1725,7 +1726,7 @@ + > The preferred way of installing Perl modules is via CPAN on Unix, + or PPM on Windows (see Section 2.4.1.2Section 2.5.1.2). These + instructions assume you are using CPAN; if for some reason you need + to install the Perl modules manually, see +@@ -1901,7 +1902,7 @@ + HREF="#install-modules-template" + >Template +- (2.08) ++ (2.10) +

  5. XML::ParserXML::Twig + (any) for the XML interface +

    2.1.5.2. Template Toolkit (2.08)2.1.5.2. Template Toolkit (2.10)

    When you install Template Toolkit, you'll get asked various +@@ -2168,22 +2169,17 @@ + >

    2.1.5.7. XML::Parser (any)2.1.5.7. XML::Twig (any)

    The XML::Parser module is only required if you want to import ++>The XML::Twig module is only required if you want to import + XML bugs using the importxml.pl + script. This is required to use Bugzilla's "move bugs" feature; + you may also want to use it for migrating from another bug database. +- XML::Parser requires that the +- expat library is already installed on your machine. +

    6. /etc/my.cnf as below. +

    If you are using MySQL 4.0 or newer, enter: +-

    If you are using an older version of MySQL, enter: +- 

      [mysqld]
+-  # Allow packets up to 1M
+-  set-variable = max_allowed_packet=1M

    There is also a parameter in Bugzilla called 'maxattachmentsize' + (default = 1000 Kb) that controls the maximum allowable attachment + size. Attachments larger than

    2.2.2.1.2. Allow small words in full-text indexes

    http://www.mysql.com/doc/en/Fulltext_Fine-tuning.html. +

    The ft_min_word_len parameter is only supported in MySQL v4 or higher. +-

    2.2.2.1.3. Permit attachments table to grow beyond 4GB

    By default, MySQL will limit the size of a table to 4GB. +- This limit is present even if the underlying filesystem +- has no such limit. To set a higher limit, follow these +- instructions. +-

    Run the MySQL command-line client and +- enter: +- 

      mysql> ALTER TABLE attachments 
+-            AVG_ROW_LENGTH=1000000, MAX_ROWS=20000;
+-

    The above command will change the limit to 20GB. Mysql will have +- to make a temporary copy of your entire table to do this. Ideally, +- you should do this when your attachments table is still small. +-

    This does not affect Big Files, attachments that are stored directly +- on disk instead of in the database. +-

    2.2.2.1.4. Add a user to MySQL2.2.2.1.3. Add a user to MySQL

    You need to add a new MySQL user for Bugzilla to use. +@@ -2777,10 +2648,7 @@ + > Run the mysql command-line client. +-

    If you are using MySQL 4.0 or newer, enter: ++> command-line client and enter: +

    2.2.2.1.4. Permit attachments table to grow beyond 4GB

    If you are using an older version of MySQL,the +- LOCK TABLES and +- CREATE TEMPORARY TABLES By default, MySQL will limit the size of a table to 4GB. ++ This limit is present even if the underlying filesystem ++ has no such limit. To set a higher limit, follow these ++ instructions. ++

    After you have completed the rest of the installation (or at least the ++ database setup parts), you should run the MySQL +- permissions will be unavailable and should be removed from +- the permissions list. In this case, the following command +- line can be used: ++ command-line client and enter the following, replacing $bugs_db ++ with your Bugzilla database name (bugs by default): + 

      
            mysql> GRANT SELECT, INSERT,
+-           UPDATE, DELETE, INDEX, ALTER, CREATE, DROP,
+-           REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY
+-           ' use $db_pass';
+-           $bugs_db
++            mysql> FLUSH PRIVILEGES;
    ALTER TABLE attachments ++ AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; ++

    The above command will change the limit to 20GB. Mysql will have ++ to make a temporary copy of your entire table to do this. Ideally, ++ you should do this when your attachments table is still small. ++

    This does not affect Big Files, attachments that are stored directly ++ on disk instead of in the database. ++

    2.2.2.2.1. Add a User to PostgreSQL

    2.2.2.2.2. Configure PostgreSQL

    2.2.3. checksetup.pl

    Section 4.3.1. ++>. You can run ++ testserver.pl to check if your web server serves ++ Bugzilla files as expected. +

    2.3.1. Bug Graphs

    2.3.2. Dependency Charts

    loginmethod
    user_verify_class

    This parameter should be set to data/params and set loginmethod to ++> and set user_verify_class to + "DB"

    2.4. Multiple Bugzilla databases with a single installation

    The previous instructions refered to a standard installation, with ++ one unique Bugzilla database. However, you may want to host several ++ distinct installations, without having several copies of the code. This is ++ possible by using the PROJECT environment variable. When accessed, ++ Bugzilla checks for the existence of this variable, and if present, uses ++ its value to check for an alternative configuration file named ++ localconfig.<PROJECT> in the same location as ++ the default one (localconfig). It also checks for ++ customized templates in a directory named ++ <PROJECT> in the same location as the ++ default one (template/<langcode>). By default ++ this is template/en/default so PROJECT's templates ++ would be located at template/en/PROJECT.

    To set up an alternate installation, just export PROJECT=foo before ++ running checksetup.pl for the first time. It will ++ result in a file called localconfig.foo instead of ++ localconfig. Edit this file as described above, with ++ reference to a new database, and re-run checksetup.pl ++ to populate it. That's all.

    Now you have to configure the web server to pass this environment ++ variable when accessed via an alternate URL, such as virtual host for ++ instance. The following is an example of how you could do it in Apache, ++ other Webservers may differ. ++
    
<VirtualHost 212.85.153.228:80>
++    ServerName foo.bar.baz
++    SetEnv PROJECT foo
++    Alias /bugzilla /var/www/bugzilla
++</VirtualHost>
++
    ++

    Don't forget to also export this variable before accessing Bugzilla ++ by other means, such as cron tasks for instance.

    2.4. OS-Specific Installation Notes2.5. OS-Specific Installation Notes

    Many aspects of the Bugzilla installation can be affected by the +@@ -4340,7 +4350,7 @@ + CLASS="section" + >2.4.1. Microsoft Windows2.5.1. Microsoft Windows

    Making Bugzilla work on Windows is more difficult than making it +@@ -4355,7 +4365,7 @@ + CLASS="section" + >2.4.1.1. Win32 Perl2.5.1.1. Win32 Perl

    Perl for Windows can be obtained from +@@ -4379,7 +4389,7 @@ + CLASS="section" + >2.4.1.2. Perl Modules on Win322.5.1.2. Perl Modules on Win32

    Bugzilla on Windows requires the same perl modules found in +@@ -4511,7 +4521,7 @@ + CLASS="section" + >2.4.1.3. Code changes required to run on Win322.5.1.3. Code changes required to run on Win32

    Bugzilla on Win32 is supported out of the box from version 2.20; this +@@ -4524,7 +4534,7 @@ + CLASS="section" + >2.4.1.4. Serving the web pages2.5.1.4. Serving the web pages

    As is the case on Unix based systems, any web server should +@@ -4585,7 +4595,7 @@ + CLASS="section" + >2.4.1.5. Sending Email2.5.1.5. Sending Email

    To enable Bugzilla to send email on Windows, the server running the +@@ -4599,7 +4609,7 @@ + CLASS="section" + >2.4.2. 2.5.2. Mac OS X2.4.2.1. Sendmail2.5.2.1. Sendmail

    In Mac OS X 10.3 and later, +@@ -4641,7 +4651,7 @@ + CLASS="section" + >2.4.2.2. Libraries & Perl Modules on Mac OS X2.5.2.2. Libraries & Perl Modules on Mac OS X

    Apple did not include the GD library with Mac OS X. Bugzilla +@@ -4841,7 +4851,7 @@ + CLASS="section" + >2.4.3. Linux-Mandrake 8.02.5.3. Linux-Mandrake 8.0

    Linux-Mandrake 8.0 includes every required and optional library +@@ -4941,15 +4951,15 @@ + CLASS="section" + >2.5. UNIX (non-root) Installation Notes2.6. UNIX (non-root) Installation Notes

    2.5.1. Introduction2.6.1. Introduction

    If you are running a *NIX OS as non-root, either due +@@ -4968,8 +4978,8 @@ + >

    2.5.2. MySQL2.6.2. MySQL

    You may have MySQL installed as root. If you're +@@ -5024,16 +5034,16 @@ + >

    2.5.2.1. Running MySQL as Non-Root2.6.2.1. Running MySQL as Non-Root

    2.5.2.1.1. The Custom Configuration Method2.6.2.1.1. The Custom Configuration Method

    Create a file .my.cnf in your +@@ -5076,8 +5086,8 @@ + >

    2.5.2.1.2. The Custom Built Method2.6.2.1.2. The Custom Built Method

    You can install MySQL as a not-root, if you really need to. +@@ -5099,8 +5109,8 @@ + >

    2.5.2.1.3. Starting the Server2.6.2.1.3. Starting the Server

    After your mysqld program is built and any .my.cnf file is +@@ -5227,8 +5237,8 @@ + >

    2.5.3. Perl2.6.3. Perl

    On the extremely rare chance that you don't have Perl on +@@ -5305,7 +5315,7 @@ + CLASS="section" + >2.5.4. Perl Modules2.6.4. Perl Modules

    Installing the Perl modules as a non-root user is probably the +@@ -5320,8 +5330,8 @@ + >

    2.5.4.1. The Independant Method2.6.4.1. The Independant Method

    The independant method requires that you install your own +@@ -5392,8 +5402,8 @@ + >

    2.5.4.2. The Mixed Method2.6.4.2. The Mixed Method

    First, you'll need to configure CPAN to +@@ -5597,8 +5607,8 @@ + >

    2.5.5. HTTP Server2.6.5. HTTP Server

    Ideally, this also needs to be installed as root and +@@ -5611,8 +5621,8 @@ + >

    2.5.5.1. Running Apache as Non-Root2.6.5.1. Running Apache as Non-Root

    You can run Apache as a non-root user, but the port will need +@@ -5693,14 +5703,14 @@ + >

    2.5.6. Bugzilla2.6.6. Bugzilla

    If you had to install Perl modules as a non-root user + (Section 2.5.4Section 2.6.4) or to non-standard + directories, you will need to change the scripts, setting the correct + location of the Perl modules:

    3.11.1. Creating Groups

    3.11.2. Assigning Users to Groups

    3.11.3. Assigning Group Controls to Products

    3.11.4. Common Applications of Group Controls

    3.11.4.1. General User Access With Security Group

    3.11.4.2. General User Access With A Security Product

    3.11.4.3. Product Isolation With Common Group

    Simply enter the following in /etc/my.conf/etc/my.cnf: + 
    
[myslqd]
++>
[mysqld]
+ # Prevent network access to MySQL.
+ skip-networking
+

    5.5.1. Bugzilla Database Basics

    5.5.1.1. Bugzilla Database Tables

    + entire product...
    +
    +-profiles:  Ahh, so you were wondering where your precious user information was
    +-stored?  Here it is!  With the passwords in plain text for all to see! (but
    +-sshh... don't tell your users!)
    ++profiles:  This table contains details for the current user accounts,
    ++including the crypted hashes of the passwords used, the associated
    ++login names, and the real name of the users.
    +
    + profiles_activity:  Need to know who did what when to who's profile?  This'll
    + tell you, it's a pretty complete history.
    +@@ -12358,7 +12368,7 @@ + > At first glance, negation seems redundant. Rather than + searching for +

    + one could search for +
    + However, the search +

    6.9.1. Autolinkification

    6.11.2.1. Creating Charts

    6.11.2.2. Creating New Data Sets

    6.13.4. Saving Your Changes

    Section 2.4.1Section 2.5.1. +

    Microsoft has some advice on this matter, as well: +

    You can view bugs marked for 2.22.1 release ++> You can view bugs marked for 2.22.2 release + here. +- This list includes bugs for the 2.22.1 release that have already ++ This list includes bugs for the 2.22.2 release that have already + been fixed and checked into CVS. Please consult the + Announce your patch and the associated URL + (http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) + for discussion in the newsgroup +- (netscape.public.mozilla.webtools). You'll get a ++ (mozilla.support.bugzilla). You'll get a + really good, fairly immediate reaction to the + implications of your patch, which will also give us + an idea how well-received the change would be. +@@ -17640,9 +17650,9 @@ + If you can't work it out, or if it's being uncommunicative, post + the errors in the + netscape.public.mozilla.webtoolsmozilla.support.bugzilla + newsgroup. +

    B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1

    Try executing perl -MCPAN -e 'install CPAN' +- and then continuing. +-

    Certain older versions of the CPAN toolset were somewhat naive about +- how to upgrade Perl modules. When a couple of modules got rolled into the +- core Perl distribution for 5.6.1, CPAN thought that the best way to get +- those modules up to date was to haul down the Perl distribution itself and +- build it. Needless to say, this has caused headaches for just about +- everybody. Upgrading to a newer version of CPAN with the +- commandline above should fix things. +-

    B.5. DBD::Sponge::db prepare failedB.4. DBD::Sponge::db prepare failed

    The following error message may appear due to a bug in DBD::mysql +@@ -17886,7 +17871,7 @@ + CLASS="section" + >B.6. cannot chdir(/var/spool/mqueue)B.5. cannot chdir(/var/spool/mqueue)

    If you are installing Bugzilla on SuSE Linux, or some other +@@ -17945,7 +17930,7 @@ + CLASS="section" + >B.7. Your vendor has not defined Fcntl macro O_NOINHERITB.6. Your vendor has not defined Fcntl macro O_NOINHERIT

    This is caused by a bug in the version of +@@ -18026,7 +18011,7 @@ + CLASS="section" + >B.8. Everybody is constantly being forced to reloginB.7. Everybody is constantly being forced to relogin

    The most-likely cause is that the Example B-1. Examples of urlbase/cookiepath pairs for sharing login cookies

    Example B-2. Examples of urlbase/cookiepath pairs to restrict the login cookie

    B.9. Some users are constantly being forced to reloginB.8. Some users are constantly being forced to relogin

    First, make sure cookies are enabled in the user's browser. +@@ -18193,7 +18178,7 @@ + CLASS="section" + >B.10. B.9. index.cgi doesn't show up unless specified in the URLB.11. checksetup.pl reports "Client does not support authentication protocol ++>B.10. checksetup.pl reports "Client does not support authentication protocol + requested by server..."

    +

    Template::Plugin::GD: ++


    ++       CPAN Download Page: http://search.cpan.org/dist/Template-GD/
    ++       PPM Download Link:  (Just install Template-Toolkit using the instructions below)
    ++
    ++       Documentation: http://www.template-toolkit.org/docs/aqua/Modules/index.html
    ++      

    ++

    MIME::Base64: +

    +

    XML::Parser: ++> XML::Twig: +


    +         CPAN Download Page: http://search.cpan.org/dist/XML-Parser/http://search.cpan.org/dist/XML-Twig/
    ++        PPM Download Link: http://ppm.activestate.com/PPMPackages/zips/8xx-builds-only/Windows/XML-Twig-3.22.zip
    +-        PPM Download Link: Part of core distribution.
    +         Documentation: http://www.perldoc.com/perl5.6.1/lib/XML/Parser.htmlhttp://standards.ieee.org/resources/spasystem/twig/twig_stable.html
    +       

    +@@ -19058,7 +19067,7 @@ + >

    Version 1.1, March 2000

    0-9, high ascii

    /etc/my.cnf as below. +

    If you are using MySQL 4.0 or newer, enter: +-

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    If you are using an older version of MySQL, enter: +- 

      [mysqld]
+-  # Allow packets up to 1M
+-  set-variable = max_allowed_packet=1M

    There is also a parameter in Bugzilla called 'maxattachmentsize' + (default = 1000 Kb) that controls the maximum allowable attachment + size. Attachments larger than

    2.2.2.1.2. Allow small words in full-text indexes

    http://www.mysql.com/doc/en/Fulltext_Fine-tuning.html. +

    The ft_min_word_len parameter is only supported in MySQL v4 or higher. +-

    2.2.2.1.3. Permit attachments table to grow beyond 4GB

    By default, MySQL will limit the size of a table to 4GB. +- This limit is present even if the underlying filesystem +- has no such limit. To set a higher limit, follow these +- instructions. +-

    Run the MySQL command-line client and +- enter: +- 

      mysql> ALTER TABLE attachments 
+-            AVG_ROW_LENGTH=1000000, MAX_ROWS=20000;
+-

    The above command will change the limit to 20GB. Mysql will have +- to make a temporary copy of your entire table to do this. Ideally, +- you should do this when your attachments table is still small. +-

    This does not affect Big Files, attachments that are stored directly +- on disk instead of in the database. +-

    2.2.2.1.4. Add a user to MySQL2.2.2.1.3. Add a user to MySQL

    You need to add a new MySQL user for Bugzilla to use. +@@ -567,10 +442,7 @@ + > Run the mysql command-line client. +-

    If you are using MySQL 4.0 or newer, enter: ++> command-line client and enter: +

    2.2.2.1.4. Permit attachments table to grow beyond 4GB

    If you are using an older version of MySQL,the +- LOCK TABLES and +- CREATE TEMPORARY TABLES By default, MySQL will limit the size of a table to 4GB. ++ This limit is present even if the underlying filesystem ++ has no such limit. To set a higher limit, follow these ++ instructions. ++

    After you have completed the rest of the installation (or at least the ++ database setup parts), you should run the MySQL +- permissions will be unavailable and should be removed from +- the permissions list. In this case, the following command +- line can be used: ++ command-line client and enter the following, replacing $bugs_db ++ with your Bugzilla database name (bugs by default): + 

      
            mysql> GRANT SELECT, INSERT,
+-           UPDATE, DELETE, INDEX, ALTER, CREATE, DROP,
+-           REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY
+-           ' use $db_pass';
+-           $bugs_db
++            mysql> FLUSH PRIVILEGES;
    ALTER TABLE attachments ++ AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; ++

    The above command will change the limit to 20GB. Mysql will have ++ to make a temporary copy of your entire table to do this. Ideally, ++ you should do this when your attachments table is still small. ++

    This does not affect Big Files, attachments that are stored directly ++ on disk instead of in the database. ++

    2.2.2.2.1. Add a User to PostgreSQL

    2.2.2.2.2. Configure PostgreSQL

    2.2.3. checksetup.pl

    Section 4.3.1. ++>. You can run ++ testserver.pl to check if your web server serves ++ Bugzilla files as expected. +

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    Also, thanks are due to the members of the + netscape.public.mozilla.webtools mozilla.support.bugzilla +- newsgroup. Without your discussions, insight, suggestions, and patches, ++ newsgroup (and its predecessor, netscape.public.mozilla.webtools). ++ Without your discussions, insight, suggestions, and patches, + this could never have happened. +

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    5.5.1. Bugzilla Database Basics

    5.5.1.1. Bugzilla Database Tables

    + entire product...
    +
    +-profiles:  Ahh, so you were wondering where your precious user information was
    +-stored?  Here it is!  With the passwords in plain text for all to see! (but
    +-sshh... don't tell your users!)
    ++profiles:  This table contains details for the current user accounts,
    ++including the crypted hashes of the passwords used, the associated
    ++login names, and the real name of the users.
    +
    + profiles_activity:  Need to know who did what when to who's profile?  This'll
    + tell you, it's a pretty complete history.
    +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/dbmodify.html bugzilla-2.22.1/docs/html/dbmodify.html +--- bugzilla-2.22/docs/html/dbmodify.html 2006-04-22 20:12:11.000000000 -0700 ++++ bugzilla-2.22.1/docs/html/dbmodify.html 2006-10-15 02:19:41.000000000 -0700 +@@ -7,7 +7,7 @@ + NAME="GENERATOR" + CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseNext

    2.3.1. Bug Graphs

    2.3.2. Dependency Charts

    loginmethod
    user_verify_class

    This parameter should be set to data/params and set loginmethod to ++> and set user_verify_class to + "DB"NextOS-Specific Installation NotesMultiple Bugzilla databases with a single installation

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseSection 2.4.1Section 2.5.1. +

    Microsoft has some advice on this matter, as well: +

    You can view bugs marked for 2.22.1 release ++> You can view bugs marked for 2.22.2 release + here. +- This list includes bugs for the 2.22.1 release that have already ++ This list includes bugs for the 2.22.2 release that have already + been fixed and checked into CVS. Please consult the + Announce your patch and the associated URL + (http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) + for discussion in the newsgroup +- (netscape.public.mozilla.webtools). You'll get a ++ (mozilla.support.bugzilla). You'll get a + really good, fairly immediate reaction to the + implications of your patch, which will also give us + an idea how well-received the change would be. +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/flags.html bugzilla-2.22.1/docs/html/flags.html +--- bugzilla-2.22/docs/html/flags.html 2006-04-22 20:12:13.000000000 -0700 ++++ bugzilla-2.22.1/docs/html/flags.html 2006-10-15 02:19:42.000000000 -0700 +@@ -7,7 +7,7 @@ + NAME="GENERATOR" + CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Releasenetscape.public.mozilla.webtoolsmozilla.support.bugzilla + newsgroup. +

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    Version 1.1, March 2000

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    0-9, high ascii

    3.11.1. Creating Groups

    3.11.2. Assigning Users to Groups

    3.11.3. Assigning Group Controls to Products

    3.11.4. Common Applications of Group Controls

    6.9.1. Autolinkification

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    The Bugzilla Team

    2006-04-22

    2006-10-15

    Section 2.4Section 2.5 + before you start your installation to see if there are any special + instructions. +@@ -550,7 +550,7 @@ + > The preferred way of installing Perl modules is via CPAN on Unix, + or PPM on Windows (see Section 2.4.1.2Section 2.5.1.2). These + instructions assume you are using CPAN; if for some reason you need + to install the Perl modules manually, see +@@ -726,7 +726,7 @@ + HREF="installation.html#install-modules-template" + >Template +- (2.08) ++ (2.10) +

  7. XML::ParserXML::Twig + (any) for the XML interface +

    2.1.5.2. Template Toolkit (2.08)2.1.5.2. Template Toolkit (2.10)

    When you install Template Toolkit, you'll get asked various +@@ -993,22 +993,17 @@ + >

    2.1.5.7. XML::Parser (any)2.1.5.7. XML::Twig (any)

    The XML::Parser module is only required if you want to import ++>The XML::Twig module is only required if you want to import + XML bugs using the importxml.pl + script. This is required to use Bugzilla's "move bugs" feature; + you may also want to use it for migrating from another bug database. +- XML::Parser requires that the +- expat library is already installed on your machine. +

    8. 2.2.3. checksetup.pl
    2.3.1. Bug Graphs
    2.3.2. Dependency Charts
    2.4. Multiple Bugzilla databases with a single installation
    2.5. OS-Specific Installation Notes
    2.4.1. 2.5.1. Microsoft Windows
    2.4.2. 2.5.2.
    2.4.3. 2.5.3. Linux-Mandrake 8.0
    2.5. 2.6. UNIX (non-root) Installation Notes
    2.5.1. 2.6.1. Introduction
    2.5.2. 2.6.2. MySQL
    2.5.3. 2.6.3. Perl
    2.5.4. 2.6.4. Perl Modules
    2.5.5. 2.6.5. HTTP Server
    2.5.6. 2.6.6. Bugzilla
    +

    Template::Plugin::GD: ++


    ++       CPAN Download Page: http://search.cpan.org/dist/Template-GD/
    ++       PPM Download Link:  (Just install Template-Toolkit using the instructions below)
    ++
    ++       Documentation: http://www.template-toolkit.org/docs/aqua/Modules/index.html
    ++      

    ++

    MIME::Base64: +

    +

    XML::Parser: ++> XML::Twig: +


    +         CPAN Download Page: http://search.cpan.org/dist/XML-Parser/http://search.cpan.org/dist/XML-Twig/
    ++        PPM Download Link: http://ppm.activestate.com/PPMPackages/zips/8xx-builds-only/Windows/XML-Twig-3.22.zip
    +-        PPM Download Link: Part of core distribution.
    +         Documentation: http://www.perldoc.com/perl5.6.1/lib/XML/Parser.htmlhttp://standards.ieee.org/resources/spasystem/twig/twig_stable.html
    +       

    +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/myaccount.html bugzilla-2.22.1/docs/html/myaccount.html +--- bugzilla-2.22/docs/html/myaccount.html 2006-04-22 20:12:12.000000000 -0700 ++++ bugzilla-2.22.1/docs/html/myaccount.html 2006-10-15 02:19:42.000000000 -0700 +@@ -7,7 +7,7 @@ + NAME="GENERATOR" + CONTENT="Modular DocBook HTML Stylesheet Version 1.7">    1.3. New Versions

    This is the 2.22 version of The Bugzilla Guide. It is so named ++> This is the 2.22.1 version of The Bugzilla Guide. It is so named + to match the current version of Bugzilla. +

    2.5. UNIX (non-root) Installation Notes2.6. UNIX (non-root) Installation Notes

    2.5.1. Introduction2.6.1. Introduction

    If you are running a *NIX OS as non-root, either due +@@ -103,8 +103,8 @@ + >

    2.5.2. MySQL2.6.2. MySQL

    You may have MySQL installed as root. If you're +@@ -159,16 +159,16 @@ + >

    2.5.2.1. Running MySQL as Non-Root2.6.2.1. Running MySQL as Non-Root

    2.5.2.1.1. The Custom Configuration Method2.6.2.1.1. The Custom Configuration Method

    Create a file .my.cnf in your +@@ -211,8 +211,8 @@ + >

    2.5.2.1.2. The Custom Built Method2.6.2.1.2. The Custom Built Method

    You can install MySQL as a not-root, if you really need to. +@@ -234,8 +234,8 @@ + >

    2.5.2.1.3. Starting the Server2.6.2.1.3. Starting the Server

    After your mysqld program is built and any .my.cnf file is +@@ -362,8 +362,8 @@ + >

    2.5.3. Perl2.6.3. Perl

    On the extremely rare chance that you don't have Perl on +@@ -440,7 +440,7 @@ + CLASS="section" + >2.5.4. Perl Modules2.6.4. Perl Modules

    Installing the Perl modules as a non-root user is probably the +@@ -455,8 +455,8 @@ + >

    2.5.4.1. The Independant Method2.6.4.1. The Independant Method

    The independant method requires that you install your own +@@ -527,8 +527,8 @@ + >

    2.5.4.2. The Mixed Method2.6.4.2. The Mixed Method

    First, you'll need to configure CPAN to +@@ -732,8 +732,8 @@ + >

    2.5.5. HTTP Server2.6.5. HTTP Server

    Ideally, this also needs to be installed as root and +@@ -746,8 +746,8 @@ + >

    2.5.5.1. Running Apache as Non-Root2.6.5.1. Running Apache as Non-Root

    You can run Apache as a non-root user, but the port will need +@@ -828,14 +828,14 @@ + >

    2.5.6. Bugzilla2.6.6. Bugzilla

    If you had to install Perl modules as a non-root user + (Section 2.5.4Section 2.6.4) or to non-standard + directories, you will need to change the scripts, setting the correct + location of the Perl modules:

    Prev2.4. OS-Specific Installation Notes2.5. OS-Specific Installation Notes

    Many aspects of the Bugzilla installation can be affected by the +@@ -99,7 +99,7 @@ + CLASS="section" + >2.4.1. Microsoft Windows2.5.1. Microsoft Windows

    Making Bugzilla work on Windows is more difficult than making it +@@ -114,7 +114,7 @@ + CLASS="section" + >2.4.1.1. Win32 Perl2.5.1.1. Win32 Perl

    Perl for Windows can be obtained from +@@ -138,7 +138,7 @@ + CLASS="section" + >2.4.1.2. Perl Modules on Win322.5.1.2. Perl Modules on Win32

    Bugzilla on Windows requires the same perl modules found in +@@ -270,7 +270,7 @@ + CLASS="section" + >2.4.1.3. Code changes required to run on Win322.5.1.3. Code changes required to run on Win32

    Bugzilla on Win32 is supported out of the box from version 2.20; this +@@ -283,7 +283,7 @@ + CLASS="section" + >2.4.1.4. Serving the web pages2.5.1.4. Serving the web pages

    As is the case on Unix based systems, any web server should +@@ -344,7 +344,7 @@ + CLASS="section" + >2.4.1.5. Sending Email2.5.1.5. Sending Email

    To enable Bugzilla to send email on Windows, the server running the +@@ -358,7 +358,7 @@ + CLASS="section" + >2.4.2. 2.5.2. Mac OS X2.4.2.1. Sendmail2.5.2.1. Sendmail

    In Mac OS X 10.3 and later, +@@ -400,7 +400,7 @@ + CLASS="section" + >2.4.2.2. Libraries & Perl Modules on Mac OS X2.5.2.2. Libraries & Perl Modules on Mac OS X

    Apple did not include the GD library with Mac OS X. Bugzilla +@@ -600,7 +600,7 @@ + CLASS="section" + >2.4.3. Linux-Mandrake 8.02.5.3. Linux-Mandrake 8.0

    Linux-Mandrake 8.0 includes every required and optional library +@@ -710,7 +710,7 @@ + ALIGN="left" + VALIGN="top" + >PrevOptional Additional ConfigurationMultiple Bugzilla databases with a single installation

    B.6. cannot chdir(/var/spool/mqueue)B.5. cannot chdir(/var/spool/mqueue)

    If you are installing Bugzilla on SuSE Linux, or some other +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/patches.html bugzilla-2.22.1/docs/html/patches.html +--- bugzilla-2.22/docs/html/patches.html 2006-04-22 20:12:14.000000000 -0700 ++++ bugzilla-2.22.1/docs/html/patches.html 2006-10-15 02:19:43.000000000 -0700 +@@ -7,7 +7,7 @@ + NAME="GENERATOR" + CONTENT="Modular DocBook HTML Stylesheet Version 1.7">

     At first glance, negation seems redundant. Rather than + searching for +
    + one could search for +
    + However, the search +

    6.11.2.1. Creating Charts

    6.11.2.2. Creating New Data Sets

    Simply enter the following in /etc/my.conf/etc/my.cnf: +

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    
[myslqd]
++>
[mysqld]
+ # Prevent network access to MySQL.
+ skip-networking
+
    +-Bundle::Bugzilla makes me upgrade to Perl 5.6.1
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    The Bugzilla Guide - 2.22 +- Release
    PrevAppendix B. TroubleshootingNext

    B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1

    Try executing perl -MCPAN -e 'install CPAN' +- and then continuing. +-

    Certain older versions of the CPAN toolset were somewhat naive about +- how to upgrade Perl modules. When a couple of modules got rolled into the +- core Perl distribution for 5.6.1, CPAN thought that the best way to get +- those modules up to date was to haul down the Perl distribution itself and +- build it. Needless to say, this has caused headaches for just about +- everybody. Upgrading to a newer version of CPAN with the +- commandline above should fix things. +-

    PrevHomeNext
    I installed a Perl module, but +- checksetup.pl claims it's not installed!UpDBD::Sponge::db prepare failed
    +\ No newline at end of file +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/trbl-dbdsponge.html bugzilla-2.22.1/docs/html/trbl-dbdsponge.html +--- bugzilla-2.22/docs/html/trbl-dbdsponge.html 2006-04-22 20:12:13.000000000 -0700 ++++ bugzilla-2.22.1/docs/html/trbl-dbdsponge.html 2006-10-15 02:19:43.000000000 -0700 +@@ -7,15 +7,16 @@ + NAME="GENERATOR" + CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleasePrevB.5. DBD::Sponge::db prepare failedB.4. DBD::Sponge::db prepare failed

    The following error message may appear due to a bug in DBD::mysql +@@ -170,7 +171,7 @@ + ALIGN="left" + VALIGN="top" + >PrevBundle::Bugzilla makes me upgrade to Perl 5.6.1I installed a Perl module, but ++ checksetup.pl claims it's not installed!PrevThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseB.11. checksetup.pl reports "Client does not support authentication protocol ++>B.10. checksetup.pl reports "Client does not support authentication protocol + requested by server..."

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseNextNextBundle::Bugzilla makes me upgrade to Perl 5.6.1DBD::Sponge::db prepare failed

    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseNextB.8. Everybody is constantly being forced to reloginB.7. Everybody is constantly being forced to relogin

    The most-likely cause is that the Example B-1. Examples of urlbase/cookiepath pairs for sharing login cookies

    Example B-2. Examples of urlbase/cookiepath pairs to restrict the login cookie

    Next ++Some users are constantly being forced to relogin
    The Bugzilla Guide - 2.22.1 ++ Release
    PrevAppendix B. TroubleshootingNext

    B.8. Some users are constantly being forced to relogin

    First, make sure cookies are enabled in the user's browser. ++

    If that doesn't fix the problem, it may be that the user's ISP ++ implements a rotating proxy server. This causes the user's effective IP ++ address (the address which the Bugzilla server perceives him coming from) ++ to change periodically. Since Bugzilla cookies are tied to a specific IP ++ address, each time the effective address changes, the user will have to ++ log in again. ++

    If you are using 2.18 (or later), there is a ++ parameter called "loginnetmask", which you can use to set ++ the number of bits of the user's IP address to require to be matched when ++ authenticating the cookies. If you set this to something less than 32, ++ then the user will be given a checkbox for "Restrict this login to ++ my IP address" on the login screen, which defaults to checked. If ++ they leave the box checked, Bugzilla will behave the same as it did ++ before, requiring an exact match on their IP address to remain logged in. ++ If they uncheck the box, then only the left side of their IP address (up ++ to the number of bits you specified in the parameter) has to match to ++ remain logged in. ++

    PrevHomeNext
    Everybody is constantly being forced to reloginUpindex.cgi doesn't show up unless specified in the URL
    +\ No newline at end of file +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/trbl-testserver.html bugzilla-2.22.1/docs/html/trbl-testserver.html +--- bugzilla-2.22/docs/html/trbl-testserver.html 2006-04-22 20:12:13.000000000 -0700 ++++ bugzilla-2.22.1/docs/html/trbl-testserver.html 2006-10-15 02:19:43.000000000 -0700 +@@ -7,7 +7,7 @@ + NAME="GENERATOR" + CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseB.7. Your vendor has not defined Fcntl macro O_NOINHERITB.6. Your vendor has not defined Fcntl macro O_NOINHERIT

    This is caused by a bug in the version of +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/troubleshooting.html bugzilla-2.22.1/docs/html/troubleshooting.html +--- bugzilla-2.22/docs/html/troubleshooting.html 2006-04-22 20:12:14.000000000 -0700 ++++ bugzilla-2.22.1/docs/html/troubleshooting.html 2006-10-15 02:19:43.000000000 -0700 +@@ -7,7 +7,7 @@ + NAME="GENERATOR" + CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1
    B.5. DBD::Sponge::db prepare failed
    B.6. B.5. cannot chdir(/var/spool/mqueue)
    B.7. B.6. Your vendor has not defined Fcntl macro O_NOINHERIT
    B.8. B.7. Everybody is constantly being forced to relogin
    B.9. B.8. Some users are constantly being forced to relogin
    B.10. B.9. doesn't show up unless specified in the URL
    B.11. B.10. checksetup.pl reports "Client does not support authentication protocol + requested by server..."The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release
    6.9.1. Autolinkification
    6.13.4. Saving Your Changes
    The Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + ReleaseThe Bugzilla Guide - 2.22 ++>The Bugzilla Guide - 2.22.1 + Release

    6.13.4. Saving Your Changes

    +-Some users are constantly being forced to relogin

    The Bugzilla Guide - 2.22 +- Release
    PrevAppendix B. TroubleshootingNext

    B.9. Some users are constantly being forced to relogin

    First, make sure cookies are enabled in the user's browser. +-

    If that doesn't fix the problem, it may be that the user's ISP +- implements a rotating proxy server. This causes the user's effective IP +- address (the address which the Bugzilla server perceives him coming from) +- to change periodically. Since Bugzilla cookies are tied to a specific IP +- address, each time the effective address changes, the user will have to +- log in again. +-

    If you are using 2.18 (or later), there is a +- parameter called "loginnetmask", which you can use to set +- the number of bits of the user's IP address to require to be matched when +- authenticating the cookies. If you set this to something less than 32, +- then the user will be given a checkbox for "Restrict this login to +- my IP address" on the login screen, which defaults to checked. If +- they leave the box checked, Bugzilla will behave the same as it did +- before, requiring an exact match on their IP address to remain logged in. +- If they uncheck the box, then only the left side of their IP address (up +- to the number of bits you specified in the parameter) has to match to +- remain logged in. +-

    PrevHomeNext
    Everybody is constantly being forced to reloginUpindex.cgi doesn't show up unless specified in the URL
    +\ No newline at end of file +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/x757.html bugzilla-2.22.1/docs/html/x757.html +--- bugzilla-2.22/docs/html/x757.html 1969-12-31 16:00:00.000000000 -0800 ++++ bugzilla-2.22.1/docs/html/x757.html 2006-10-15 02:19:39.000000000 -0700 +@@ -0,0 +1,227 @@ ++ ++Multiple Bugzilla databases with a single installation
    The Bugzilla Guide - 2.22.1 ++ Release
    PrevChapter 2. Installing BugzillaNext

    2.4. Multiple Bugzilla databases with a single installation

    The previous instructions refered to a standard installation, with ++ one unique Bugzilla database. However, you may want to host several ++ distinct installations, without having several copies of the code. This is ++ possible by using the PROJECT environment variable. When accessed, ++ Bugzilla checks for the existence of this variable, and if present, uses ++ its value to check for an alternative configuration file named ++ localconfig.<PROJECT> in the same location as ++ the default one (localconfig). It also checks for ++ customized templates in a directory named ++ <PROJECT> in the same location as the ++ default one (template/<langcode>). By default ++ this is template/en/default so PROJECT's templates ++ would be located at template/en/PROJECT.

    To set up an alternate installation, just export PROJECT=foo before ++ running checksetup.pl for the first time. It will ++ result in a file called localconfig.foo instead of ++ localconfig. Edit this file as described above, with ++ reference to a new database, and re-run checksetup.pl ++ to populate it. That's all.

    Now you have to configure the web server to pass this environment ++ variable when accessed via an alternate URL, such as virtual host for ++ instance. The following is an example of how you could do it in Apache, ++ other Webservers may differ. ++
    
<VirtualHost 212.85.153.228:80>
++    ServerName foo.bar.baz
++    SetEnv PROJECT foo
++    Alias /bugzilla /var/www/bugzilla
++</VirtualHost>
++
    ++

    Don't forget to also export this variable before accessing Bugzilla ++ by other means, such as cron tasks for instance.

    PrevHomeNext
    Optional Additional ConfigurationUpOS-Specific Installation Notes
    +\ No newline at end of file +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/rel_notes.txt bugzilla-2.22.1/docs/rel_notes.txt +--- bugzilla-2.22/docs/rel_notes.txt 2006-04-21 14:44:07.000000000 -0700 ++++ bugzilla-2.22.1/docs/rel_notes.txt 2006-10-14 14:28:42.000000000 -0700 +@@ -6,6 +6,7 @@ + ***************** + + - Introduction ++- Important Updates In This Point Release + - Minimum Requirements + * Perl + * For MySQL Users +@@ -61,6 +62,46 @@ + http://www.bugzilla.org/docs/contributor.html + + ++Important Updates In This Point Release ++*************************************** ++ ++This section describes bugs fixed in releases after the original 2.22 ++release. ++ ++Version 2.22.1 ++-------------- ++ +++ When sending mail, Bugzilla could throw the error "Insecure dependency in ++ exec while running with -T switch" (bug 340538). ++ +++ Using the public webdot server (for dependency graphs) should work ++ again (bug 351243). ++ +++ The "I'm added to or removed from this capacity" email preference ++ wasn't working for new bugs (bug 349852). ++ +++ The original release of 2.22 incorrectly said it required Template-Toolkit ++ version 2.08. In actual fact, Bugzilla requires version 2.10 (bug 351478). ++ +++ votes.cgi would crash if your bug was the one confirming a bug (bug 351300). ++ +++ checksetup.pl now correctly reports if your Template::Plugin::GD module ++ is missing. If missing, it could lead to charts and graphs not working ++ (bug 345389). ++ +++ The "Keyword" field on buglist.cgi was not sorted alphabetically, so ++ it wasn't very useful for sorting (bug 342828). ++ +++ Sendmail will no longer complain about there being a newline in the ++ email address, when Bugzilla sends mail (bug 331365). ++ +++ contrib/bzdbcopy.pl would try to insert an invalid value into the ++ database, unnecessarily (bug 335572). ++ +++ Deleting a bug now correctly deletes its attachments from the database ++ (bug 339667). ++ ++ + Minimum Requirements + ******************** + +@@ -102,7 +143,7 @@ + DBI v1.38 + File::Spec v0.84 + File::Temp (any) +- Template Toolkit v2.08 ++ Template Toolkit v2.10 (changed from 2.20) + Text::Wrap v2001.0131 + Mail::Mailer v1.67 (changed from 2.20) + MIME::Base64 v3.01 (new in 2.22) +@@ -234,7 +275,7 @@ + -------------------------------------- + If you turn on the "strict_isolation" parameter in Bugzilla, you + will *not* be able to add any user to the CC field (or set them +-as an Asignee or QA Contact) unless that user could normally see ++as an Assignee or QA Contact) unless that user could normally see + the bug. That is, you will no longer be able to "accidentally" + (or intentionally) give somebody access to a bug that they + otherwise couldn't see. +@@ -533,6 +574,24 @@ + every single user, even those with saved sessions. (It invalidates + every login cookie Bugzilla has ever given out.) + ++Version 2.22.1 ++-------------- ++ ++The Bugzilla team fixed two Information Leaks and three Cross-Site ++Scripting vulnerabilities that existed in versions of Bugzilla ++prior to 2.22.1. We strongly recommend that you update any 2.22 ++installation to 2.22.1, to be protected from these vulnerabilities. ++ ++In addition, we have made an enhancement to security in this version ++of Bugzilla. In previous versions, it was possible for malicious ++users to exploit administrators in certain ways. Although this has ++never happened (to our knowledge) in the real world, we thought it ++was important that we protect administrators from this sort of attack. ++ ++You can see details on all the vulnerabilities and enhancements at: ++ ++http://www.bugzilla.org/security/2.18.5/ ++ + + Release Notes For Previous Versions + ************************************ +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/txt/Bugzilla-Guide.txt bugzilla-2.22.1/docs/txt/Bugzilla-Guide.txt +--- bugzilla-2.22/docs/txt/Bugzilla-Guide.txt 2006-04-22 20:12:32.000000000 -0700 ++++ bugzilla-2.22.1/docs/txt/Bugzilla-Guide.txt 2006-10-15 02:20:04.000000000 -0700 +@@ -1,9 +1,9 @@ + +-The Bugzilla Guide - 2.22 Release ++The Bugzilla Guide - 2.22.1 Release + + The Bugzilla Team + +- 2006-04-22 ++ 2006-10-15 + + This is the documentation for Bugzilla, a bug-tracking system from + mozilla.org. Bugzilla is an enterprise-class piece of software that tracks +@@ -27,8 +27,9 @@ + 2.1. Installation + 2.2. Configuration + 2.3. Optional Additional Configuration +- 2.4. OS-Specific Installation Notes +- 2.5. UNIX (non-root) Installation Notes ++ 2.4. Multiple Bugzilla databases with a single installation ++ 2.5. OS-Specific Installation Notes ++ 2.6. UNIX (non-root) Installation Notes + + 3. Administering Bugzilla + +@@ -85,14 +86,13 @@ + B.3. I installed a Perl module, but checksetup.pl claims it's not + installed! + +- B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1 +- B.5. DBD::Sponge::db prepare failed +- B.6. cannot chdir(/var/spool/mqueue) +- B.7. Your vendor has not defined Fcntl macro O_NOINHERIT +- B.8. Everybody is constantly being forced to relogin +- B.9. Some users are constantly being forced to relogin +- B.10. index.cgi doesn't show up unless specified in the URL +- B.11. checksetup.pl reports "Client does not support authentication ++ B.4. DBD::Sponge::db prepare failed ++ B.5. cannot chdir(/var/spool/mqueue) ++ B.6. Your vendor has not defined Fcntl macro O_NOINHERIT ++ B.7. Everybody is constantly being forced to relogin ++ B.8. Some users are constantly being forced to relogin ++ B.9. index.cgi doesn't show up unless specified in the URL ++ B.10. checksetup.pl reports "Client does not support authentication + protocol requested by server..." + + C. Contrib +@@ -175,8 +175,8 @@ + + 1.3. New Versions + +- This is the 2.22 version of The Bugzilla Guide. It is so named to match the +- current version of Bugzilla. ++ This is the 2.22.1 version of The Bugzilla Guide. It is so named to match ++ the current version of Bugzilla. + + The latest version of this guide can always be found at + http://www.bugzilla.org, or checked out via CVS by following the Mozilla CVS +@@ -236,9 +236,10 @@ + Zach Lipton, Gervase Markham, Andrew Pearson, Joe Robins, Spencer Smith, Ron + Teitelbaum, Shane Travis, Martin Wulffeld. + +- Also, thanks are due to the members of the netscape.public.mozilla.webtools +- newsgroup. Without your discussions, insight, suggestions, and patches, this +- could never have happened. ++ Also, thanks are due to the members of the mozilla.support.bugzilla ++ newsgroup (and its predecessor, netscape.public.mozilla.webtools). Without ++ your discussions, insight, suggestions, and patches, this could never have ++ happened. + _________________________________________________________________ + + 1.5. Document Conventions +@@ -283,7 +284,7 @@ + URL to access it over the web. + + The Bugzilla server software is usually installed on Linux or Solaris. If +- you are installing on another OS, check Section 2.4 before you start your ++ you are installing on another OS, check Section 2.5 before you start your + installation to see if there are any special instructions. + + As an alternative to following these instructions, you may wish to try Arne +@@ -415,7 +416,7 @@ + 5.6.1 or above. + + The preferred way of installing Perl modules is via CPAN on Unix, or PPM on +- Windows (see Section 2.4.1.2). These instructions assume you are using CPAN; ++ Windows (see Section 2.5.1.2). These instructions assume you are using CPAN; + if for some reason you need to install the Perl modules manually, see + Appendix D. + bash# perl -MCPAN -e 'install ""' +@@ -453,7 +454,7 @@ + 7. DBD::Pg (1.31) if using PostgreSQL + 8. File::Spec (0.84) + 9. File::Temp (any) +- 10. Template (2.08) ++ 10. Template (2.10) + 11. Text::Wrap (2001.0131) + 12. Mail::Mailer (1.67) + 13. MIME::Base64 (3.01) +@@ -466,7 +467,7 @@ + 2. Chart::Base (1.0) for bug charting + 3. GD::Graph (any) for bug charting + 4. GD::Text::Align (any) for bug charting +- 5. XML::Parser (any) for the XML interface ++ 5. XML::Twig (any) for the XML interface + 6. PatchReader (0.9.4) for pretty HTML view of patches + 7. Image::Magick (any) for converting BMP image attachments to PNG + _________________________________________________________________ +@@ -486,7 +487,7 @@ + which MySQL creates upon installation. + _________________________________________________________________ + +-2.1.5.2. Template Toolkit (2.08) ++2.1.5.2. Template Toolkit (2.10) + + When you install Template Toolkit, you'll get asked various questions about + features to enable. The defaults are fine, except that it is recommended you +@@ -525,13 +526,12 @@ + The GD::Text::Align module is only required if you want graphical reports. + _________________________________________________________________ + +-2.1.5.7. XML::Parser (any) ++2.1.5.7. XML::Twig (any) + +- The XML::Parser module is only required if you want to import XML bugs using ++ The XML::Twig module is only required if you want to import XML bugs using + the importxml.pl script. This is required to use Bugzilla's "move bugs" + feature; you may also want to use it for migrating from another bug +- database. XML::Parser requires that the expat library is already installed +- on your machine. ++ database. + _________________________________________________________________ + + 2.1.5.8. PatchReader (0.9.4) +@@ -633,17 +633,10 @@ + By default, MySQL will only accept packets up to 64Kb in size. If you want + to have attachments larger than this, you will need to modify your + /etc/my.cnf as below. +- +- If you are using MySQL 4.0 or newer, enter: + [mysqld] + # Allow packets up to 1M + max_allowed_packet=1M + +- If you are using an older version of MySQL, enter: +- [mysqld] +- # Allow packets up to 1M +- set-variable = max_allowed_packet=1M +- + There is also a parameter in Bugzilla called 'maxattachmentsize' (default = + 1000 Kb) that controls the maximum allowable attachment size. Attachments + larger than either the 'max_allowed_packet' or 'maxattachmentsize' value +@@ -669,29 +662,9 @@ + + Rebuilding the indexes can be done based on documentation found at + http://www.mysql.com/doc/en/Fulltext_Fine-tuning.html. +- +- Note The ft_min_word_len parameter is only supported in MySQL v4 or higher. +- _________________________________________________________________ +- +-2.2.2.1.3. Permit attachments table to grow beyond 4GB +- +- By default, MySQL will limit the size of a table to 4GB. This limit is +- present even if the underlying filesystem has no such limit. To set a higher +- limit, follow these instructions. +- +- Run the MySQL command-line client and enter: +- mysql> ALTER TABLE attachments +- AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; +- +- The above command will change the limit to 20GB. Mysql will have to make a +- temporary copy of your entire table to do this. Ideally, you should do this +- when your attachments table is still small. +- +- Note This does not affect Big Files, attachments that are stored directly on +- disk instead of in the database. + _________________________________________________________________ + +-2.2.2.1.4. Add a user to MySQL ++2.2.2.1.3. Add a user to MySQL + + You need to add a new MySQL user for Bugzilla to use. (It's not safe to have + Bugzilla use the MySQL root account.) The following instructions assume the +@@ -704,23 +677,34 @@ + the account to connect from "localhost". Modify it to reflect your setup if + you will be connecting from another machine or as a different user. + +- Run the mysql command-line client. +- +- If you are using MySQL 4.0 or newer, enter: ++ Run the mysql command-line client and enter: + mysql> GRANT SELECT, INSERT, + UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, + CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* + TO bugs@localhost IDENTIFIED BY '$db_pass'; + mysql> FLUSH PRIVILEGES; ++ _________________________________________________________________ + +- If you are using an older version of MySQL,the LOCK TABLES and CREATE +- TEMPORARY TABLES permissions will be unavailable and should be removed from +- the permissions list. In this case, the following command line can be used: +- mysql> GRANT SELECT, INSERT, +- UPDATE, DELETE, INDEX, ALTER, CREATE, DROP, +- REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY +- '$db_pass'; +- mysql> FLUSH PRIVILEGES; ++2.2.2.1.4. Permit attachments table to grow beyond 4GB ++ ++ By default, MySQL will limit the size of a table to 4GB. This limit is ++ present even if the underlying filesystem has no such limit. To set a higher ++ limit, follow these instructions. ++ ++ After you have completed the rest of the installation (or at least the ++ database setup parts), you should run the MySQL command-line client and ++ enter the following, replacing $bugs_db with your Bugzilla database name ++ (bugs by default): ++ mysql> use $bugs_db ++ mysql> ALTER TABLE attachments ++ AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; ++ ++ The above command will change the limit to 20GB. Mysql will have to make a ++ temporary copy of your entire table to do this. Ideally, you should do this ++ when your attachments table is still small. ++ ++ Note This does not affect Big Files, attachments that are stored directly on ++ disk instead of in the database. + _________________________________________________________________ + + 2.2.2.2. PostgreSQL +@@ -802,7 +786,8 @@ + section. (If it makes a difference in your choice, the Bugzilla Team + recommends Apache.) Regardless of which webserver you are using, however, + ensure that sensitive information is not remotely available by properly +- applying the access controls in Section 4.3.1. ++ applying the access controls in Section 4.3.1. You can run testserver.pl to ++ check if your web server serves Bugzilla files as expected. + _________________________________________________________________ + + 2.2.4.1. Apache httpd +@@ -1054,13 +1039,13 @@ + + Parameters required to use LDAP Authentication: + +- loginmethod ++ user_verify_class + This parameter should be set to "LDAP" only if you will be using an + LDAP directory for authentication. If you set this param to "LDAP" + but fail to set up the other parameters listed below you will not be + able to log back in to Bugzilla one you log out. If this happens to +- you, you will need to manually edit data/params and set loginmethod +- to "DB". ++ you, you will need to manually edit data/params and set ++ user_verify_class to "DB". + + LDAPserver + This parameter should be set to the name (and optionally the port) of +@@ -1116,7 +1101,41 @@ + AddType application/rdf+xml .rdf + _________________________________________________________________ + +-2.4. OS-Specific Installation Notes ++2.4. Multiple Bugzilla databases with a single installation ++ ++ The previous instructions refered to a standard installation, with one ++ unique Bugzilla database. However, you may want to host several distinct ++ installations, without having several copies of the code. This is possible ++ by using the PROJECT environment variable. When accessed, Bugzilla checks ++ for the existence of this variable, and if present, uses its value to check ++ for an alternative configuration file named localconfig. in the ++ same location as the default one (localconfig). It also checks for ++ customized templates in a directory named in the same location as ++ the default one (template/). By default this is ++ template/en/default so PROJECT's templates would be located at ++ template/en/PROJECT. ++ ++ To set up an alternate installation, just export PROJECT=foo before running ++ checksetup.pl for the first time. It will result in a file called ++ localconfig.foo instead of localconfig. Edit this file as described above, ++ with reference to a new database, and re-run checksetup.pl to populate it. ++ That's all. ++ ++ Now you have to configure the web server to pass this environment variable ++ when accessed via an alternate URL, such as virtual host for instance. The ++ following is an example of how you could do it in Apache, other Webservers ++ may differ. ++ ++ ServerName foo.bar.baz ++ SetEnv PROJECT foo ++ Alias /bugzilla /var/www/bugzilla ++ ++ ++ Don't forget to also export this variable before accessing Bugzilla by other ++ means, such as cron tasks for instance. ++ _________________________________________________________________ ++ ++2.5. OS-Specific Installation Notes + + Many aspects of the Bugzilla installation can be affected by the operating + system you choose to install it on. Sometimes it can be made easier and +@@ -1128,7 +1147,7 @@ + please file a bug in Bugzilla Documentation. + _________________________________________________________________ + +-2.4.1. Microsoft Windows ++2.5.1. Microsoft Windows + + Making Bugzilla work on Windows is more difficult than making it work on + Unix. For that reason, we still recommend doing so on a Unix based system +@@ -1136,7 +1155,7 @@ + Windows, you will need to make the following adjustments. + _________________________________________________________________ + +-2.4.1.1. Win32 Perl ++2.5.1.1. Win32 Perl + + Perl for Windows can be obtained from ActiveState. You should be able to + find a compiled binary at +@@ -1144,7 +1163,7 @@ + instructions assume that you are using version 5.8.1 of ActiveState. + _________________________________________________________________ + +-2.4.1.2. Perl Modules on Win32 ++2.5.1.2. Perl Modules on Win32 + + Bugzilla on Windows requires the same perl modules found in Section 2.1.5. + The main difference is that windows uses PPM instead of CPAN. +@@ -1167,13 +1186,13 @@ + documentation. + _________________________________________________________________ + +-2.4.1.3. Code changes required to run on Win32 ++2.5.1.3. Code changes required to run on Win32 + + Bugzilla on Win32 is supported out of the box from version 2.20; this means + that no code changes are required to get Bugzilla running. + _________________________________________________________________ + +-2.4.1.4. Serving the web pages ++2.5.1.4. Serving the web pages + + As is the case on Unix based systems, any web server should be able to + handle Bugzilla; however, the Bugzilla Team still recommends Apache whenever +@@ -1186,18 +1205,18 @@ + every script to contain your path to perl perl instead of /usr/bin/perl. + _________________________________________________________________ + +-2.4.1.5. Sending Email ++2.5.1.5. Sending Email + + To enable Bugzilla to send email on Windows, the server running the Bugzilla + code must be able to connect to, or act as, an SMTP server. + _________________________________________________________________ + +-2.4.2. Mac OS X ++2.5.2. Mac OS X + + Making Bugzilla work on Mac OS X requires the following adjustments. + _________________________________________________________________ + +-2.4.2.1. Sendmail ++2.5.2.1. Sendmail + + In Mac OS X 10.3 and later, Postfix is used as the built-in email server. + Postfix provides an executable that mimics sendmail enough to fool Bugzilla, +@@ -1210,7 +1229,7 @@ + parameter in Section 3.1. + _________________________________________________________________ + +-2.4.2.2. Libraries & Perl Modules on Mac OS X ++2.5.2.2. Libraries & Perl Modules on Mac OS X + + Apple did not include the GD library with Mac OS X. Bugzilla needs this for + bug graphs. +@@ -1253,7 +1272,7 @@ + correctly with Bugzilla. + _________________________________________________________________ + +-2.4.3. Linux-Mandrake 8.0 ++2.5.3. Linux-Mandrake 8.0 + + Linux-Mandrake 8.0 includes every required and optional library for + Bugzilla. The easiest way to install them is by using the urpmi utility. If +@@ -1270,9 +1289,9 @@ + for Bugzilla email integration + _________________________________________________________________ + +-2.5. UNIX (non-root) Installation Notes ++2.6. UNIX (non-root) Installation Notes + +-2.5.1. Introduction ++2.6.1. Introduction + + If you are running a *NIX OS as non-root, either due to lack of access (web + hosts, for example) or for security reasons, this will detail how to install +@@ -1281,7 +1300,7 @@ + notes will reference to steps in that guide.) + _________________________________________________________________ + +-2.5.2. MySQL ++2.6.2. MySQL + + You may have MySQL installed as root. If you're setting up an account with a + web host, a MySQL account needs to be set up for you. From there, you can +@@ -1298,9 +1317,9 @@ + (for obvious reasons), so skip that step. + _________________________________________________________________ + +-2.5.2.1. Running MySQL as Non-Root ++2.6.2.1. Running MySQL as Non-Root + +-2.5.2.1.1. The Custom Configuration Method ++2.6.2.1.1. The Custom Configuration Method + + Create a file .my.cnf in your home directory (using /home/foo in this + example) as follows.... +@@ -1322,7 +1341,7 @@ + pid-file=/home/foo/mymysql/the.pid + _________________________________________________________________ + +-2.5.2.1.2. The Custom Built Method ++2.6.2.1.2. The Custom Built Method + + You can install MySQL as a not-root, if you really need to. Build it with + PREFIX set to /home/foo/mysql, or use pre-installed executables, specifying +@@ -1331,7 +1350,7 @@ + -P option to specify a TCP port that is not in use. + _________________________________________________________________ + +-2.5.2.1.3. Starting the Server ++2.6.2.1.3. Starting the Server + + After your mysqld program is built and any .my.cnf file is in place, you + must initialize the databases (ONCE). +@@ -1357,7 +1376,7 @@ + which you are a user! + _________________________________________________________________ + +-2.5.3. Perl ++2.6.3. Perl + + On the extremely rare chance that you don't have Perl on the machine, you + will have to build the sources yourself. The following commands should get +@@ -1378,7 +1397,7 @@ + on this page. + _________________________________________________________________ + +-2.5.4. Perl Modules ++2.6.4. Perl Modules + + Installing the Perl modules as a non-root user is probably the hardest part + of the process. There are two different methods: a completely independant +@@ -1388,7 +1407,7 @@ + space as the modules themselves, but takes more work to setup. + _________________________________________________________________ + +-2.5.4.1. The Independant Method ++2.6.4.1. The Independant Method + + The independant method requires that you install your own personal version + of Perl, as detailed in the previous section. Once installed, you can start +@@ -1406,7 +1425,7 @@ + you have any hang-ups, you can consult the next section. + _________________________________________________________________ + +-2.5.4.2. The Mixed Method ++2.6.4.2. The Mixed Method + + First, you'll need to configure CPAN to install modules in your home + directory. The CPAN FAQ says the following on this issue: +@@ -1472,7 +1491,7 @@ + install MIME::Parser + _________________________________________________________________ + +-2.5.5. HTTP Server ++2.6.5. HTTP Server + + Ideally, this also needs to be installed as root and run under a special + webserver account. As long as the web server will allow the running of *.cgi +@@ -1480,7 +1499,7 @@ + (such as a .htaccess file), you should be good in this department. + _________________________________________________________________ + +-2.5.5.1. Running Apache as Non-Root ++2.6.5.1. Running Apache as Non-Root + + You can run Apache as a non-root user, but the port will need to be set to + one above 1024. If you type httpd -V, you will get a list of the variables +@@ -1503,9 +1522,9 @@ + which you are a user! + _________________________________________________________________ + +-2.5.6. Bugzilla ++2.6.6. Bugzilla + +- If you had to install Perl modules as a non-root user (Section 2.5.4) or to ++ If you had to install Perl modules as a non-root user (Section 2.6.4) or to + non-standard directories, you will need to change the scripts, setting the + correct location of the Perl modules: + +@@ -2705,8 +2724,8 @@ + + Example 4-3. Disabling Networking in MySQL + +- Simply enter the following in /etc/my.conf: +-[myslqd] ++ Simply enter the following in /etc/my.cnf: ++[mysqld] + # Prevent network access to MySQL. + skip-networking + _________________________________________________________________ +@@ -3473,10 +3492,9 @@ + will be nice when the components table supports these same features, so you + could close a particular component for bug entry without having to close an + entire product... +- profiles: Ahh, so you were wondering where your precious user information w +- as +- stored? Here it is! With the passwords in plain text for all to see! (but +- sshh... don't tell your users!) ++ profiles: This table contains details for the current user accounts, ++ including the crypted hashes of the passwords used, the associated ++ login names, and the real name of the users. + profiles_activity: Need to know who did what when to who's profile? This'l + l + tell you, it's a pretty complete history. +@@ -5234,7 +5252,7 @@ + (perl, a webserver, an MTA, etc.) then installation of Bugzilla on a Windows + box should be no more difficult than on any other platform. As with any + installation, we recommend that you carefully and completely follow the +- installation instructions in Section 2.4.1. ++ installation instructions in Section 2.5.1. + + While doing so, don't forget to check out the very excellent guide to + Installing Bugzilla on Microsoft Windows written by Byron Jones. Thanks, +@@ -5393,8 +5411,8 @@ + + Try this link to view current bugs or requests for enhancement for Bugzilla. + +- You can view bugs marked for 2.22.1 release here. This list includes bugs +- for the 2.22.1 release that have already been fixed and checked into CVS. ++ You can view bugs marked for 2.22.2 release here. This list includes bugs ++ for the 2.22.2 release that have already been fixed and checked into CVS. + Please consult the Bugzilla Project Page for details on how to check current + sources out of CVS so you can have these bug fixes early! + +@@ -5418,9 +5436,9 @@ + indicate the text you are sending is a patch! + 3. Announce your patch and the associated URL + (http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) for discussion in +- the newsgroup (netscape.public.mozilla.webtools). You'll get a really +- good, fairly immediate reaction to the implications of your patch, which +- will also give us an idea how well-received the change would be. ++ the newsgroup (mozilla.support.bugzilla). You'll get a really good, ++ fairly immediate reaction to the implications of your patch, which will ++ also give us an idea how well-received the change would be. + 4. If it passes muster with minimal modification, the person to whom the + bug is assigned in Bugzilla is responsible for seeing the patch is + checked into CVS. +@@ -5439,8 +5457,7 @@ + + If you can't get checksetup.pl to run to completion, it normally explains + what's wrong and how to fix it. If you can't work it out, or if it's being +- uncommunicative, post the errors in the netscape.public.mozilla.webtools +- newsgroup. ++ uncommunicative, post the errors in the mozilla.support.bugzilla newsgroup. + + If you have made it all the way through Section 2.1 (Installation) and + Section 2.2 (Configuration) but accessing the Bugzilla URL doesn't work, the +@@ -5487,20 +5504,7 @@ + is recommended that they be world readable. + _________________________________________________________________ + +-B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1 +- +- Try executing perl -MCPAN -e 'install CPAN' and then continuing. +- +- Certain older versions of the CPAN toolset were somewhat naive about how to +- upgrade Perl modules. When a couple of modules got rolled into the core Perl +- distribution for 5.6.1, CPAN thought that the best way to get those modules +- up to date was to haul down the Perl distribution itself and build it. +- Needless to say, this has caused headaches for just about everybody. +- Upgrading to a newer version of CPAN with the commandline above should fix +- things. +- _________________________________________________________________ +- +-B.5. DBD::Sponge::db prepare failed ++B.4. DBD::Sponge::db prepare failed + + The following error message may appear due to a bug in DBD::mysql (over + which the Bugzilla team have no control): +@@ -5528,7 +5532,7 @@ + (note the S added to NAME.) + _________________________________________________________________ + +-B.6. cannot chdir(/var/spool/mqueue) ++B.5. cannot chdir(/var/spool/mqueue) + + If you are installing Bugzilla on SuSE Linux, or some other distributions + with "paranoid" security options, it is possible that the checksetup.pl +@@ -5541,7 +5545,7 @@ + /var/spool/mqueue directory. + _________________________________________________________________ + +-B.7. Your vendor has not defined Fcntl macro O_NOINHERIT ++B.6. Your vendor has not defined Fcntl macro O_NOINHERIT + + This is caused by a bug in the version of File::Temp that is distributed + with perl 5.6.0. Many minor variations of this error have been reported: +@@ -5577,7 +5581,7 @@ + }; + _________________________________________________________________ + +-B.8. Everybody is constantly being forced to relogin ++B.7. Everybody is constantly being forced to relogin + + The most-likely cause is that the "cookiepath" parameter is not set + correctly in the Bugzilla configuration. You can change this (if you're a +@@ -5631,7 +5635,7 @@ + browser (this is true starting with Bugzilla 2.18 and Bugzilla 2.16.5). + _________________________________________________________________ + +-B.9. Some users are constantly being forced to relogin ++B.8. Some users are constantly being forced to relogin + + First, make sure cookies are enabled in the user's browser. + +@@ -5653,7 +5657,7 @@ + logged in. + _________________________________________________________________ + +-B.10. index.cgi doesn't show up unless specified in the URL ++B.9. index.cgi doesn't show up unless specified in the URL + + You probably need to set up your web server in such a way that it will serve + the index.cgi page as an index page. +@@ -5662,7 +5666,7 @@ + the DirectoryIndex line as mentioned in Section 2.2.4.1. + _________________________________________________________________ + +-B.11. checksetup.pl reports "Client does not support authentication protocol ++B.10. checksetup.pl reports "Client does not support authentication protocol + requested by server..." + + This error is occurring because you are using the new password encryption +@@ -5848,6 +5852,14 @@ + PPM Download Link: http://landfill.bugzilla.org/ppm/GD.ppd + Documentation: http://stein.cshl.org/WWW/software/GD/ + ++ Template::Plugin::GD: ++ ++ CPAN Download Page: http://search.cpan.org/dist/Template-GD/ ++ PPM Download Link: (Just install Template-Toolkit using the instruct ++ ions below) ++ Documentation: http://www.template-toolkit.org/docs/aqua/Modules/inde ++ x.html ++ + MIME::Base64: + + CPAN Download Page: http://search.cpan.org/dist/MIME-Base64/ +@@ -5885,11 +5897,13 @@ + PPM Download Page: http://landfill.bugzilla.org/ppm/GDTextUtil.ppd + Documentation: http://search.cpan.org/dist/GDTextUtil/Text/Align.pm + +- XML::Parser: ++ XML::Twig: + +- CPAN Download Page: http://search.cpan.org/dist/XML-Parser/ +- PPM Download Link: Part of core distribution. +- Documentation: http://www.perldoc.com/perl5.6.1/lib/XML/Parser.html ++ CPAN Download Page: http://search.cpan.org/dist/XML-Twig/ ++ PPM Download Link: http://ppm.activestate.com/PPMPackages/zips/8xx-b ++ uilds-only/Windows/XML-Twig-3.22.zip ++ Documentation: http://standards.ieee.org/resources/spasystem/twig/tw ++ ig_stable.html + + PatchReader: + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/about.xml bugzilla-2.22.1/docs/xml/about.xml +--- bugzilla-2.22/docs/xml/about.xml 2006-04-22 19:45:10.000000000 -0700 ++++ bugzilla-2.22.1/docs/xml/about.xml 2006-06-06 08:25:33.000000000 -0700 +@@ -1,6 +1,6 @@ + +- ++ + + + About This Guide +@@ -207,9 +207,10 @@ + + + Also, thanks are due to the members of the +- +- netscape.public.mozilla.webtools +- newsgroup. Without your discussions, insight, suggestions, and patches, ++ ++ mozilla.support.bugzilla ++ newsgroup (and its predecessor, netscape.public.mozilla.webtools). ++ Without your discussions, insight, suggestions, and patches, + this could never have happened. + + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/Bugzilla-Guide.xml bugzilla-2.22.1/docs/xml/Bugzilla-Guide.xml +--- bugzilla-2.22/docs/xml/Bugzilla-Guide.xml 2006-04-22 19:45:10.000000000 -0700 ++++ bugzilla-2.22.1/docs/xml/Bugzilla-Guide.xml 2006-10-15 01:32:58.000000000 -0700 +@@ -31,9 +31,9 @@ + For a devel release, simple bump bz-ver and bz-date + --> + +- +- +- ++ ++ ++ + + + +@@ -46,7 +46,7 @@ + + + +- ++ + + + +@@ -66,7 +66,7 @@ + + + +- ++ + + + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/customization.xml bugzilla-2.22.1/docs/xml/customization.xml +--- bugzilla-2.22/docs/xml/customization.xml 2006-03-05 09:15:13.000000000 -0800 ++++ bugzilla-2.22.1/docs/xml/customization.xml 2006-06-09 04:31:01.000000000 -0700 +@@ -1007,9 +1007,9 @@ + could close a particular component for bug entry without having to close an + entire product... + +-profiles: Ahh, so you were wondering where your precious user information was +-stored? Here it is! With the passwords in plain text for all to see! (but +-sshh... don't tell your users!) ++profiles: This table contains details for the current user accounts, ++including the crypted hashes of the passwords used, the associated ++login names, and the real name of the users. + + profiles_activity: Need to know who did what when to who's profile? This'll + tell you, it's a pretty complete history. +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/faq.xml bugzilla-2.22.1/docs/xml/faq.xml +--- bugzilla-2.22/docs/xml/faq.xml 2006-03-03 14:50:57.000000000 -0800 ++++ bugzilla-2.22.1/docs/xml/faq.xml 2006-06-06 08:25:33.000000000 -0700 +@@ -1573,7 +1573,7 @@ + Announce your patch and the associated URL + (http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) + for discussion in the newsgroup +- (netscape.public.mozilla.webtools). You'll get a ++ (mozilla.support.bugzilla). You'll get a + really good, fairly immediate reaction to the + implications of your patch, which will also give us + an idea how well-received the change would be. +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/installation.xml bugzilla-2.22.1/docs/xml/installation.xml +--- bugzilla-2.22/docs/xml/installation.xml 2006-03-03 14:23:18.000000000 -0800 ++++ bugzilla-2.22.1/docs/xml/installation.xml 2006-08-14 08:56:11.000000000 -0700 +@@ -1,5 +1,5 @@ + +- ++ + + Installing Bugzilla + +@@ -410,8 +410,8 @@ + + + +- XML::Parser +- (&min-xml-parser-ver;) for the XML interface ++ XML::Twig ++ (&min-xml-twig-ver;) for the XML interface + + + +@@ -508,15 +508,13 @@ + + + +-
    +- XML::Parser (&min-xml-parser-ver;) ++
    ++ XML::Twig (&min-xml-twig-ver;) + +- The XML::Parser module is only required if you want to import ++ The XML::Twig module is only required if you want to import + XML bugs using the importxml.pl + script. This is required to use Bugzilla's "move bugs" feature; + you may also want to use it for migrating from another bug database. +- XML::Parser requires that the +- expat library is already installed on your machine. + +
    + +@@ -678,21 +676,11 @@ + to modify your /etc/my.cnf as below. + + +- +- If you are using MySQL 4.0 or newer, enter: +- + [mysqld] + # Allow packets up to 1M + max_allowed_packet=1M + + +- If you are using an older version of MySQL, enter: +- +- [mysqld] +- # Allow packets up to 1M +- set-variable = max_allowed_packet=1M +- +- + There is also a parameter in Bugzilla called 'maxattachmentsize' + (default = 1000 Kb) that controls the maximum allowable attachment + size. Attachments larger than either the +@@ -729,45 +717,6 @@ + Rebuilding the indexes can be done based on documentation found at + . + +- +- +- +- The ft_min_word_len parameter is only supported in MySQL v4 or higher. +- +- +-
    +- +-
    +- Permit attachments table to grow beyond 4GB +- +- +- By default, MySQL will limit the size of a table to 4GB. +- This limit is present even if the underlying filesystem +- has no such limit. To set a higher limit, follow these +- instructions. +- +- +- +- Run the MySQL command-line client and +- enter: +- +- +- mysql> ALTER TABLE attachments +- AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; +- +- +- +- The above command will change the limit to 20GB. Mysql will have +- to make a temporary copy of your entire table to do this. Ideally, +- you should do this when your attachments table is still small. +- +- +- +- +- This does not affect Big Files, attachments that are stored directly +- on disk instead of in the database. +- +- +
    + +
    +@@ -795,11 +744,7 @@ + + + +- Run the mysql command-line client. +- +- +- +- If you are using MySQL 4.0 or newer, enter: ++ Run the mysql command-line client and enter: + + + mysql> GRANT SELECT, INSERT, +@@ -808,21 +753,44 @@ + TO bugs@localhost IDENTIFIED BY '$db_pass'; + mysql> FLUSH PRIVILEGES; + ++
    ++ ++
    ++ Permit attachments table to grow beyond 4GB ++ ++ ++ By default, MySQL will limit the size of a table to 4GB. ++ This limit is present even if the underlying filesystem ++ has no such limit. To set a higher limit, follow these ++ instructions. ++ ++ + +- If you are using an older version of MySQL,the +- LOCK TABLES and +- CREATE TEMPORARY TABLES +- permissions will be unavailable and should be removed from +- the permissions list. In this case, the following command +- line can be used: ++ After you have completed the rest of the installation (or at least the ++ database setup parts), you should run the MySQL ++ command-line client and enter the following, replacing $bugs_db ++ with your Bugzilla database name (bugs by default): + + +- mysql> GRANT SELECT, INSERT, +- UPDATE, DELETE, INDEX, ALTER, CREATE, DROP, +- REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY +- '$db_pass'; +- mysql> FLUSH PRIVILEGES; +-
    ++ ++ mysql> use $bugs_db ++ mysql> ALTER TABLE attachments ++ AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; ++ ++ ++ ++ The above command will change the limit to 20GB. Mysql will have ++ to make a temporary copy of your entire table to do this. Ideally, ++ you should do this when your attachments table is still small. ++ ++ ++ ++ ++ This does not affect Big Files, attachments that are stored directly ++ on disk instead of in the database. ++ ++ ++ + + +
    +@@ -937,7 +905,9 @@ + the Bugzilla Team recommends Apache.) Regardless of which webserver + you are using, however, ensure that sensitive information is + not remotely available by properly applying the access controls in +- . ++ . You can run ++ testserver.pl to check if your web server serves ++ Bugzilla files as expected. + + +
    +@@ -1400,12 +1370,12 @@ + 201069. + + +- ++ + Parameters required to use LDAP Authentication: + + +- +- loginmethod ++ ++ user_verify_class + + This parameter should be set to LDAP + only if you will be using an LDAP directory +@@ -1413,7 +1383,7 @@ + fail to set up the other parameters listed below you will not be + able to log back in to Bugzilla one you log out. If this happens + to you, you will need to manually edit +- data/params and set loginmethod to ++ data/params and set user_verify_class to + DB. + + +@@ -1507,6 +1477,46 @@ +
    +
    + ++
    ++ Multiple Bugzilla databases with a single installation ++ ++ The previous instructions refered to a standard installation, with ++ one unique Bugzilla database. However, you may want to host several ++ distinct installations, without having several copies of the code. This is ++ possible by using the PROJECT environment variable. When accessed, ++ Bugzilla checks for the existence of this variable, and if present, uses ++ its value to check for an alternative configuration file named ++ localconfig.<PROJECT> in the same location as ++ the default one (localconfig). It also checks for ++ customized templates in a directory named ++ <PROJECT> in the same location as the ++ default one (template/<langcode>). By default ++ this is template/en/default so PROJECT's templates ++ would be located at template/en/PROJECT. ++ ++ To set up an alternate installation, just export PROJECT=foo before ++ running checksetup.pl for the first time. It will ++ result in a file called localconfig.foo instead of ++ localconfig. Edit this file as described above, with ++ reference to a new database, and re-run checksetup.pl ++ to populate it. That's all. ++ ++ Now you have to configure the web server to pass this environment ++ variable when accessed via an alternate URL, such as virtual host for ++ instance. The following is an example of how you could do it in Apache, ++ other Webservers may differ. ++ ++<VirtualHost 212.85.153.228:80> ++ ServerName foo.bar.baz ++ SetEnv PROJECT foo ++ Alias /bugzilla /var/www/bugzilla ++</VirtualHost> ++ ++ ++ ++ Don't forget to also export this variable before accessing Bugzilla ++ by other means, such as cron tasks for instance. ++
    + +
    + OS-Specific Installation Notes +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/modules.xml bugzilla-2.22.1/docs/xml/modules.xml +--- bugzilla-2.22/docs/xml/modules.xml 2005-12-30 07:39:01.000000000 -0800 ++++ bugzilla-2.22.1/docs/xml/modules.xml 2006-07-24 23:21:28.000000000 -0700 +@@ -149,6 +149,16 @@ + + + ++ Template::Plugin::GD: ++ ++ CPAN Download Page: ++ PPM Download Link: (Just install Template-Toolkit using the instructions below) ++ ++ Documentation: ++ ++ ++ ++ + MIME::Base64: + + CPAN Download Page: +@@ -199,11 +209,11 @@ + + + +- XML::Parser: ++ XML::Twig: + +- CPAN Download Page: +- PPM Download Link: Part of core distribution. +- Documentation: ++ CPAN Download Page: ++ PPM Download Link: ++ Documentation: + + + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/security.xml bugzilla-2.22.1/docs/xml/security.xml +--- bugzilla-2.22/docs/xml/security.xml 2006-03-01 05:04:36.000000000 -0800 ++++ bugzilla-2.22.1/docs/xml/security.xml 2006-05-16 12:00:45.000000000 -0700 +@@ -1,5 +1,5 @@ + +- ++ + + + Bugzilla Security +@@ -147,9 +147,9 @@ + + Disabling Networking in MySQL + +- Simply enter the following in /etc/my.conf: ++ Simply enter the following in /etc/my.cnf: + +-[myslqd] ++[mysqld] + # Prevent network access to MySQL. + skip-networking + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/troubleshooting.xml bugzilla-2.22.1/docs/xml/troubleshooting.xml +--- bugzilla-2.22/docs/xml/troubleshooting.xml 2005-09-08 13:57:44.000000000 -0700 ++++ bugzilla-2.22.1/docs/xml/troubleshooting.xml 2006-06-07 13:10:30.000000000 -0700 +@@ -1,5 +1,5 @@ + +- ++ + + + Troubleshooting +@@ -15,7 +15,7 @@ + completion, it normally explains what's wrong and how to fix it. + If you can't work it out, or if it's being uncommunicative, post + the errors in the +- netscape.public.mozilla.webtools ++ mozilla.support.bugzilla + newsgroup. + + +@@ -82,24 +82,6 @@ + + +
    +- +-
    +- Bundle::Bugzilla makes me upgrade to Perl 5.6.1 +- +- Try executing perl -MCPAN -e 'install CPAN' +- and then continuing. +- +- +- Certain older versions of the CPAN toolset were somewhat naive about +- how to upgrade Perl modules. When a couple of modules got rolled into the +- core Perl distribution for 5.6.1, CPAN thought that the best way to get +- those modules up to date was to haul down the Perl distribution itself and +- build it. Needless to say, this has caused headaches for just about +- everybody. Upgrading to a newer version of CPAN with the +- commandline above should fix things. +- +-
    +- + +
    + DBD::Sponge::db prepare failed +@@ -274,7 +256,7 @@ + +
    + +-
    ++
    + Some users are constantly being forced to relogin + + First, make sure cookies are enabled in the user's browser. +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/duplicates.cgi bugzilla-2.22.1/duplicates.cgi +--- bugzilla-2.22/duplicates.cgi 2005-11-13 09:50:47.000000000 -0800 ++++ bugzilla-2.22.1/duplicates.cgi 2006-06-19 05:16:05.000000000 -0700 +@@ -104,7 +104,7 @@ + my $today = days_ago(0); + my $yesterday = days_ago(1); + +-# We don't know the exact file name, because the extention depends on the ++# We don't know the exact file name, because the extension depends on the + # underlying dbm library, which could be anything. We can't glob, because + # perl < 5.6 considers if (<*>) { ... } to be tainted + # Instead, just check the return value for today's data and yesterday's, +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editclassifications.cgi bugzilla-2.22.1/editclassifications.cgi +--- bugzilla-2.22/editclassifications.cgi 2005-10-13 16:42:32.000000000 -0700 ++++ bugzilla-2.22.1/editclassifications.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -29,6 +29,7 @@ + use Bugzilla::Error; + use Bugzilla::Config qw($datadir); + use Bugzilla::Classification; ++use Bugzilla::Token; + + require "globals.pl"; + +@@ -68,7 +69,8 @@ + # + my $action = trim($cgi->param('action') || ''); + my $class_name = trim($cgi->param('classification') || ''); +- ++my $token = $cgi->param('token'); ++ + # + # action='' -> Show nice list of classifications + # +@@ -88,6 +90,7 @@ + # + + if ($action eq 'add') { ++ $vars->{'token'} = issue_session_token('add_classification'); + LoadTemplate($action); + } + +@@ -96,7 +99,7 @@ + # + + if ($action eq 'new') { +- ++ check_token_data($token, 'add_classification'); + $class_name || ThrowUserError("classification_not_specified"); + + my $classification = +@@ -119,7 +122,7 @@ + unlink "$datadir/versioncache"; + + $vars->{'classification'} = $class_name; +- ++ delete_token($token); + LoadTemplate($action); + } + +@@ -143,7 +146,7 @@ + } + + $vars->{'classification'} = $classification; +- ++ $vars->{'token'} = issue_session_token('delete_classification'); + LoadTemplate($action); + } + +@@ -152,7 +155,7 @@ + # + + if ($action eq 'delete') { +- ++ check_token_data($token, 'delete_classification'); + my $classification = + Bugzilla::Classification::check_classification($class_name); + +@@ -176,7 +179,7 @@ + unlink "$datadir/versioncache"; + + $vars->{'classification'} = $classification; +- ++ delete_token($token); + LoadTemplate($action); + } + +@@ -192,7 +195,7 @@ + Bugzilla::Classification::check_classification($class_name); + + $vars->{'classification'} = $classification; +- ++ $vars->{'token'} = issue_session_token('edit_classification'); + LoadTemplate($action); + } + +@@ -201,7 +204,7 @@ + # + + if ($action eq 'update') { +- ++ check_token_data($token, 'edit_classification'); + $class_name || ThrowUserError("classification_not_specified"); + + my $class_old_name = trim($cgi->param('classificationold') || ''); +@@ -240,7 +243,7 @@ + } + + $dbh->bz_unlock_tables(); +- ++ delete_token($token); + LoadTemplate($action); + } + +@@ -257,26 +260,30 @@ + WHERE name = ?"); + + if (defined $cgi->param('add_products')) { ++ check_token_data($token, 'reclassify_classifications'); + if (defined $cgi->param('prodlist')) { + foreach my $prod ($cgi->param("prodlist")) { + trick_taint($prod); + $sth->execute($classification->id, $prod); + } + } ++ delete_token($token); + } elsif (defined $cgi->param('remove_products')) { ++ check_token_data($token, 'reclassify_classifications'); + if (defined $cgi->param('myprodlist')) { + foreach my $prod ($cgi->param("myprodlist")) { + trick_taint($prod); + $sth->execute(1,$prod); + } + } ++ delete_token($token); + } + + my @classifications = + Bugzilla::Classification::get_all_classifications; + $vars->{'classifications'} = \@classifications; + $vars->{'classification'} = $classification; +- ++ $vars->{'token'} = issue_session_token('reclassify_classifications'); + LoadTemplate($action); + } + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editcomponents.cgi bugzilla-2.22.1/editcomponents.cgi +--- bugzilla-2.22/editcomponents.cgi 2006-01-06 06:38:35.000000000 -0800 ++++ bugzilla-2.22.1/editcomponents.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -39,6 +39,7 @@ + use Bugzilla::Product; + use Bugzilla::Component; + use Bugzilla::Bug; ++use Bugzilla::Token; + + my $cgi = Bugzilla->cgi; + my $dbh = Bugzilla->dbh; +@@ -66,6 +67,7 @@ + my $comp_name = trim($cgi->param('component') || ''); + my $action = trim($cgi->param('action') || ''); + my $showbugcounts = (defined $cgi->param('showbugcounts')); ++my $token = $cgi->param('token'); + + # + # product = '' -> Show nice list of products +@@ -111,7 +113,7 @@ + # + + if ($action eq 'add') { +- ++ $vars->{'token'} = issue_session_token('add_component'); + $vars->{'product'} = $product->name; + $template->process("admin/components/create.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +@@ -126,7 +128,7 @@ + # + + if ($action eq 'new') { +- ++ check_token_data($token, 'add_component'); + # Do the user matching + Bugzilla::User::match_field ($cgi, { + 'initialowner' => { 'type' => 'single' }, +@@ -213,6 +215,7 @@ + + $vars->{'name'} = $comp_name; + $vars->{'product'} = $product->name; ++ delete_token($token); + $template->process("admin/components/created.html.tmpl", + $vars) + || ThrowTemplateError($template->error()); +@@ -229,7 +232,7 @@ + # + + if ($action eq 'del') { +- ++ $vars->{'token'} = issue_session_token('delete_component'); + $vars->{'comp'} = + Bugzilla::Component::check_component($product, $comp_name); + +@@ -248,7 +251,7 @@ + # + + if ($action eq 'delete') { +- ++ check_token_data($token, 'delete_component'); + my $component = + Bugzilla::Component::check_component($product, $comp_name); + +@@ -282,6 +285,7 @@ + + $vars->{'name'} = $component->name; + $vars->{'product'} = $product->name; ++ delete_token($token); + $template->process("admin/components/deleted.html.tmpl", $vars) + || ThrowTemplateError($template->error()); + exit; +@@ -296,7 +300,7 @@ + # + + if ($action eq 'edit') { +- ++ $vars->{'token'} = issue_session_token('edit_component'); + $vars->{'comp'} = + Bugzilla::Component::check_component($product, $comp_name); + +@@ -316,7 +320,7 @@ + # + + if ($action eq 'update') { +- ++ check_token_data($token, 'edit_component'); + # Do the user matching + Bugzilla::User::match_field ($cgi, { + 'initialowner' => { 'type' => 'single' }, +@@ -405,6 +409,7 @@ + + $vars->{'name'} = $comp_name; + $vars->{'product'} = $product->name; ++ delete_token($token); + $template->process("admin/components/updated.html.tmpl", + $vars) + || ThrowTemplateError($template->error()); +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editflagtypes.cgi bugzilla-2.22.1/editflagtypes.cgi +--- bugzilla-2.22/editflagtypes.cgi 2006-01-11 05:16:39.000000000 -0800 ++++ bugzilla-2.22.1/editflagtypes.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -38,6 +38,7 @@ + use Bugzilla::FlagType; + use Bugzilla::Group; + use Bugzilla::Util; ++use Bugzilla::Token; + + my $template = Bugzilla->template; + my $vars = {}; +@@ -66,11 +67,12 @@ + + # Determine whether to use the action specified by the user or the default. + my $action = $cgi->param('action') || 'list'; ++my $token = $cgi->param('token'); + my @categoryActions; + + if (@categoryActions = grep(/^categoryAction-.+/, $cgi->param())) { + $categoryActions[0] =~ s/^categoryAction-//; +- processCategoryChange($categoryActions[0]); ++ processCategoryChange($categoryActions[0], $token); + exit; + } + +@@ -78,11 +80,11 @@ + elsif ($action eq 'enter') { edit(); } + elsif ($action eq 'copy') { edit(); } + elsif ($action eq 'edit') { edit(); } +-elsif ($action eq 'insert') { insert(); } +-elsif ($action eq 'update') { update(); } ++elsif ($action eq 'insert') { insert($token); } ++elsif ($action eq 'update') { update($token); } + elsif ($action eq 'confirmdelete') { confirmDelete(); } +-elsif ($action eq 'delete') { deleteType(); } +-elsif ($action eq 'deactivate') { deactivate(); } ++elsif ($action eq 'delete') { deleteType($token); } ++elsif ($action eq 'deactivate') { deactivate($token); } + else { + ThrowCodeError("action_unrecognized", { action => $action }); + } +@@ -128,9 +130,11 @@ + $vars->{'last_action'} = $cgi->param('action'); + if ($cgi->param('action') eq 'enter' || $cgi->param('action') eq 'copy') { + $vars->{'action'} = "insert"; ++ $vars->{'token'} = issue_session_token('add_flagtype'); + } + else { + $vars->{'action'} = "update"; ++ $vars->{'token'} = issue_session_token('edit_flagtype'); + } + + # If copying or editing an existing flag type, retrieve it. +@@ -168,7 +172,7 @@ + } + + sub processCategoryChange { +- my $categoryAction = shift; ++ my ($categoryAction, $token) = @_; + validateIsActive(); + validateIsRequestable(); + validateIsRequesteeble(); +@@ -218,7 +222,8 @@ + $type->{'inclusions'} = \%inclusions; + $type->{'exclusions'} = \%exclusions; + $vars->{'type'} = $type; +- ++ $vars->{'token'} = $token; ++ + # Return the appropriate HTTP response headers. + print $cgi->header(); + +@@ -243,6 +248,8 @@ + } + + sub insert { ++ my $token = shift; ++ check_token_data($token, 'add_flagtype'); + my $name = validateName(); + my $description = validateDescription(); + my $cc_list = validateCCList(); +@@ -285,6 +292,7 @@ + + $vars->{'name'} = $cgi->param('name'); + $vars->{'message'} = "flag_type_created"; ++ delete_token($token); + + # Return the appropriate HTTP response headers. + print $cgi->header(); +@@ -296,6 +304,8 @@ + + + sub update { ++ my $token = shift; ++ check_token_data($token, 'edit_flagtype'); + my $id = validateID(); + my $name = validateName(); + my $description = validateDescription(); +@@ -368,6 +378,7 @@ + + $vars->{'name'} = $cgi->param('name'); + $vars->{'message'} = "flag_type_changes_saved"; ++ delete_token($token); + + # Return the appropriate HTTP response headers. + print $cgi->header(); +@@ -390,7 +401,7 @@ + if ($count > 0) { + $vars->{'flag_type'} = Bugzilla::FlagType::get($id); + $vars->{'flag_count'} = scalar($count); +- ++ $vars->{'token'} = issue_session_token('delete_flagtype'); + # Return the appropriate HTTP response headers. + print $cgi->header(); + +@@ -399,12 +410,15 @@ + || ThrowTemplateError($template->error()); + } + else { +- deleteType(); ++ my $token = issue_session_token('delete_flagtype'); ++ deleteType($token); + } + } + + + sub deleteType { ++ my $token = shift; ++ check_token_data($token, 'delete_flagtype'); + my $id = validateID(); + my $dbh = Bugzilla->dbh; + +@@ -423,6 +437,7 @@ + $dbh->bz_unlock_tables(); + + $vars->{'message'} = "flag_type_deleted"; ++ delete_token($token); + + # Return the appropriate HTTP response headers. + print $cgi->header(); +@@ -434,6 +449,8 @@ + + + sub deactivate { ++ my $token = shift; ++ check_token_data($token, 'delete_flagtype'); + my $id = validateID(); + validateIsActive(); + +@@ -445,7 +462,8 @@ + + $vars->{'message'} = "flag_type_deactivated"; + $vars->{'flag_type'} = Bugzilla::FlagType::get($id); +- ++ delete_token($token); ++ + # Return the appropriate HTTP response headers. + print $cgi->header(); + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editgroups.cgi bugzilla-2.22.1/editgroups.cgi +--- bugzilla-2.22/editgroups.cgi 2006-01-22 12:10:08.000000000 -0800 ++++ bugzilla-2.22.1/editgroups.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -31,8 +31,10 @@ + + use Bugzilla; + use Bugzilla::Constants; ++use Bugzilla::Config qw(:DEFAULT :admin); + use Bugzilla::Group; + use Bugzilla::User; ++use Bugzilla::Token; + require "globals.pl"; + + my $cgi = Bugzilla->cgi; +@@ -50,6 +52,7 @@ + object => "groups"}); + + my $action = trim($cgi->param('action') || ''); ++my $token = $cgi->param('token'); + + # RederiveRegexp: update user_group_map with regexp-based grants + sub RederiveRegexp +@@ -249,6 +252,7 @@ + $vars->{'isactive'} = $isactive; + $vars->{'isbuggroup'} = $isbuggroup; + $vars->{'groups'} = \@groups; ++ $vars->{'token'} = issue_session_token('edit_group'); + + print $cgi->header(); + $template->process("admin/groups/edit.html.tmpl", $vars) +@@ -264,6 +268,7 @@ + # + + if ($action eq 'add') { ++ $vars->{'token'} = issue_session_token('add_group'); + print $cgi->header(); + $template->process("admin/groups/create.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +@@ -278,6 +283,7 @@ + # + + if ($action eq 'new') { ++ check_token_data($token, 'add_group'); + # Check that a not already used group name is given, that + # a description is also given and check if the regular + # expression is valid (if any). +@@ -314,6 +320,7 @@ + undef, ($gid, CONTROLMAPSHOWN, CONTROLMAPNA)); + } + RederiveRegexp($regexp, $gid); ++ delete_token($token); + + print $cgi->header(); + $template->process("admin/groups/created.html.tmpl", $vars) +@@ -338,6 +345,17 @@ + if (!$isbuggroup) { + ThrowUserError("system_group_not_deletable", { name => $name }); + } ++ # Groups having a special role cannot be deleted. ++ my @special_groups; ++ foreach my $special_group ('chartgroup', 'insidergroup', 'timetrackinggroup') { ++ if ($name eq Param($special_group)) { ++ push(@special_groups, $special_group); ++ } ++ } ++ if (scalar(@special_groups)) { ++ ThrowUserError('group_has_special_role', {'name' => $name, ++ 'groups' => \@special_groups}); ++ } + + # Group inheritance no longer appears in user_group_map. + my $grouplist = join(',', @{Bugzilla::User->flatten_group_membership($gid)}); +@@ -368,6 +386,7 @@ + $vars->{'hasproduct'} = $hasproduct; + $vars->{'hasflags'} = $hasflags; + $vars->{'buglist'} = $buglist; ++ $vars->{'token'} = issue_session_token('delete_group'); + + print $cgi->header(); + $template->process("admin/groups/delete.html.tmpl", $vars) +@@ -381,6 +400,7 @@ + # + + if ($action eq 'delete') { ++ check_token_data($token, 'delete_group'); + # Check that an existing group ID is given + my $gid = CheckGroupID($cgi->param('group')); + my ($name, $isbuggroup) = +@@ -391,6 +411,17 @@ + if (!$isbuggroup) { + ThrowUserError("system_group_not_deletable", { name => $name }); + } ++ # Groups having a special role cannot be deleted. ++ my @special_groups; ++ foreach my $special_group ('chartgroup', 'insidergroup', 'timetrackinggroup') { ++ if ($name eq Param($special_group)) { ++ push(@special_groups, $special_group); ++ } ++ } ++ if (scalar(@special_groups)) { ++ ThrowUserError('group_has_special_role', {'name' => $name, ++ 'groups' => \@special_groups}); ++ } + + my $cantdelete = 0; + +@@ -426,32 +457,33 @@ + $cantdelete = 1; + } + +- if (!$cantdelete) { +- $dbh->do('UPDATE flagtypes SET grant_group_id = ? +- WHERE grant_group_id = ?', +- undef, (undef, $gid)); +- $dbh->do('UPDATE flagtypes SET request_group_id = ? +- WHERE request_group_id = ?', +- undef, (undef, $gid)); +- $dbh->do('DELETE FROM user_group_map WHERE group_id = ?', +- undef, $gid); +- $dbh->do('DELETE FROM group_group_map +- WHERE grantor_id = ? OR member_id = ?', +- undef, ($gid, $gid)); +- $dbh->do('DELETE FROM bug_group_map WHERE group_id = ?', +- undef, $gid); +- $dbh->do('DELETE FROM group_control_map WHERE group_id = ?', +- undef, $gid); +- $dbh->do('DELETE FROM whine_schedules +- WHERE mailto_type = ? AND mailto = ?', +- undef, (MAILTO_GROUP, $gid)); +- $dbh->do('DELETE FROM groups WHERE id = ?', +- undef, $gid); +- } +- + $vars->{'gid'} = $gid; + $vars->{'name'} = $name; +- $vars->{'cantdelete'} = $cantdelete; ++ ++ ThrowUserError('group_cannot_delete', $vars) if $cantdelete; ++ ++ $dbh->do('UPDATE flagtypes SET grant_group_id = ? ++ WHERE grant_group_id = ?', ++ undef, (undef, $gid)); ++ $dbh->do('UPDATE flagtypes SET request_group_id = ? ++ WHERE request_group_id = ?', ++ undef, (undef, $gid)); ++ $dbh->do('DELETE FROM user_group_map WHERE group_id = ?', ++ undef, $gid); ++ $dbh->do('DELETE FROM group_group_map ++ WHERE grantor_id = ? OR member_id = ?', ++ undef, ($gid, $gid)); ++ $dbh->do('DELETE FROM bug_group_map WHERE group_id = ?', ++ undef, $gid); ++ $dbh->do('DELETE FROM group_control_map WHERE group_id = ?', ++ undef, $gid); ++ $dbh->do('DELETE FROM whine_schedules ++ WHERE mailto_type = ? AND mailto = ?', ++ undef, (MAILTO_GROUP, $gid)); ++ $dbh->do('DELETE FROM groups WHERE id = ?', ++ undef, $gid); ++ ++ delete_token($token); + + print $cgi->header(); + $template->process("admin/groups/deleted.html.tmpl", $vars) +@@ -465,7 +497,8 @@ + # + + if ($action eq 'postchanges') { +- # ZLL: Bug 181589: we need to have something to remove explictly listed users from ++ check_token_data($token, 'edit_group'); ++ # ZLL: Bug 181589: we need to have something to remove explicitly listed users from + # groups in order for the conversion to 2.18 groups to work + my $action; + +@@ -486,7 +519,8 @@ + if ($action == 2) { + $vars->{'regexp'} = $regexp; + } +- ++ delete_token($token); ++ + print $cgi->header(); + $template->process("admin/groups/change.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +@@ -598,6 +632,16 @@ + $chgs = 1; + $dbh->do('UPDATE groups SET name = ? WHERE id = ?', + undef, ($name, $gid)); ++ # If the group is used by some parameters, we have to update ++ # these parameters too. ++ my $update_params = 0; ++ foreach my $group ('chartgroup', 'insidergroup', 'timetrackinggroup') { ++ if ($cgi->param('oldname') eq Param($group)) { ++ SetParam($group, $name); ++ $update_params = 1; ++ } ++ } ++ WriteParams() if $update_params; + } + if ($desc ne $cgi->param('olddesc')) { + $chgs = 1; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editkeywords.cgi bugzilla-2.22.1/editkeywords.cgi +--- bugzilla-2.22/editkeywords.cgi 2005-12-11 18:38:40.000000000 -0800 ++++ bugzilla-2.22.1/editkeywords.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -28,6 +28,7 @@ + use Bugzilla; + use Bugzilla::Constants; + use Bugzilla::Config qw(:DEFAULT $datadir); ++use Bugzilla::Token; + + my $cgi = Bugzilla->cgi; + my $dbh = Bugzilla->dbh; +@@ -76,6 +77,7 @@ + object => "keywords"}); + + my $action = trim($cgi->param('action') || ''); ++my $token = $cgi->param('token'); + $vars->{'action'} = $action; + + +@@ -101,6 +103,7 @@ + + + if ($action eq 'add') { ++ $vars->{'token'} = issue_session_token('add_keyword'); + print $cgi->header(); + + $template->process("admin/keywords/create.html.tmpl", $vars) +@@ -114,7 +117,8 @@ + # + + if ($action eq 'new') { +- # Cleanups and valididy checks ++ check_token_data($token, 'add_keyword'); ++ # Cleanups and validity checks + + my $name = trim($cgi->param('name') || ''); + my $description = trim($cgi->param('description') || ''); +@@ -154,6 +158,7 @@ + + # Make versioncache flush + unlink "$datadir/versioncache"; ++ delete_token($token); + + print $cgi->header(); + +@@ -193,6 +198,7 @@ + $vars->{'name'} = $name; + $vars->{'description'} = $description; + $vars->{'bug_count'} = $bugs; ++ $vars->{'token'} = issue_session_token('edit_keyword'); + + print $cgi->header(); + +@@ -208,6 +214,7 @@ + # + + if ($action eq 'update') { ++ check_token_data($token, 'edit_keyword'); + my $id = ValidateKeyID(scalar $cgi->param('id')); + + my $name = trim($cgi->param('name') || ''); +@@ -228,6 +235,7 @@ + + # Make versioncache flush + unlink "$datadir/versioncache"; ++ delete_token($token); + + print $cgi->header(); + +@@ -250,10 +258,14 @@ + WHERE keywordid = ?', + undef, $id); + ++ # We need this token even if there is no bug using this keyword. ++ $token = issue_session_token('delete_keyword'); ++ + if ($bugs) { + $vars->{'bug_count'} = $bugs; + $vars->{'keyword_id'} = $id; + $vars->{'name'} = $name; ++ $vars->{'token'} = $token; + + print $cgi->header(); + +@@ -263,12 +275,15 @@ + exit; + } + } ++ # We cannot do this check earlier as we have to check 'reallydelete' first. ++ check_token_data($token, 'delete_keyword'); + + $dbh->do('DELETE FROM keywords WHERE keywordid = ?', undef, $id); + $dbh->do('DELETE FROM keyworddefs WHERE id = ?', undef, $id); + + # Make versioncache flush + unlink "$datadir/versioncache"; ++ delete_token($token); + + print $cgi->header(); + +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editmilestones.cgi bugzilla-2.22.1/editmilestones.cgi +--- bugzilla-2.22/editmilestones.cgi 2006-01-06 06:38:35.000000000 -0800 ++++ bugzilla-2.22.1/editmilestones.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -12,7 +12,7 @@ + # Matt Masson + # + # Contributors : Gavin Shelley +-# Frdric Buclin ++# Frédéric Buclin + # + + +@@ -26,6 +26,7 @@ + use Bugzilla::Product; + use Bugzilla::Milestone; + use Bugzilla::Bug; ++use Bugzilla::Token; + + my $cgi = Bugzilla->cgi; + my $dbh = Bugzilla->dbh; +@@ -54,6 +55,7 @@ + my $sortkey = trim($cgi->param('sortkey') || 0); + my $action = trim($cgi->param('action') || ''); + my $showbugcounts = (defined $cgi->param('showbugcounts')); ++my $token = $cgi->param('token'); + + # + # product = '' -> Show nice list of products +@@ -103,7 +105,7 @@ + # + + if ($action eq 'add') { +- ++ $vars->{'token'} = issue_session_token('add_milestone'); + $vars->{'product'} = $product->name; + $template->process("admin/milestones/create.html.tmpl", + $vars) +@@ -119,7 +121,7 @@ + # + + if ($action eq 'new') { +- ++ check_token_data($token, 'add_milestone'); + $milestone_name || ThrowUserError('milestone_blank_name'); + + if (length($milestone_name) > 20) { +@@ -147,6 +149,7 @@ + + # Make versioncache flush + unlink "$datadir/versioncache"; ++ delete_token($token); + + $vars->{'name'} = $milestone_name; + $vars->{'product'} = $product->name; +@@ -179,6 +182,7 @@ + } + + $vars->{'bug_count'} = $milestone->bug_count; ++ $vars->{'token'} = issue_session_token('delete_milestone'); + + $template->process("admin/milestones/confirm-delete.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +@@ -192,7 +196,7 @@ + # + + if ($action eq 'delete') { +- ++ check_token_data($token, 'delete_milestone'); + my $milestone = + Bugzilla::Milestone::check_milestone($product, + $milestone_name); +@@ -233,6 +237,7 @@ + undef, ($product->id, $milestone->name)); + + unlink "$datadir/versioncache"; ++ delete_token($token); + + $template->process("admin/milestones/deleted.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +@@ -256,6 +261,7 @@ + $vars->{'sortkey'} = $milestone->sortkey; + $vars->{'name'} = $milestone->name; + $vars->{'product'} = $product->name; ++ $vars->{'token'} = issue_session_token('edit_milestone'); + + $template->process("admin/milestones/edit.html.tmpl", + $vars) +@@ -271,7 +277,7 @@ + # + + if ($action eq 'update') { +- ++ check_token_data($token, 'edit_milestone'); + my $milestone_old_name = trim($cgi->param('milestoneold') || ''); + my $milestone_old = + Bugzilla::Milestone::check_milestone($product, +@@ -350,6 +356,7 @@ + } + + $dbh->bz_unlock_tables(); ++ delete_token($token); + + $vars->{'name'} = $milestone_name; + $vars->{'product'} = $product->name; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editparams.cgi bugzilla-2.22.1/editparams.cgi +--- bugzilla-2.22/editparams.cgi 2006-03-06 14:16:24.000000000 -0800 ++++ bugzilla-2.22.1/editparams.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -28,6 +28,7 @@ + use Bugzilla::Constants; + use Bugzilla::Config qw(:DEFAULT :admin :params $datadir); + use Bugzilla::Config::Common; ++use Bugzilla::Token; + + require "globals.pl"; + use vars qw(@parampanels); +@@ -45,6 +46,7 @@ + object => "parameters"}); + + my $action = trim($cgi->param('action') || ''); ++my $token = $cgi->param('token'); + my $current_panel = $cgi->param('section') || 'core'; + $current_panel =~ /^([A-Za-z0-9_-]+)$/; + $current_panel = $1; +@@ -69,6 +71,7 @@ + $vars->{panels} = \@panels; + + if ($action eq 'save' && $current_module) { ++ check_token_data($token, 'edit_parameters'); + my @changes = (); + my @module_param_list = "Bugzilla::Config::${current_module}"->get_param_list(); + +@@ -129,7 +132,10 @@ + + WriteParams(); + unlink "$datadir/versioncache"; ++ delete_token($token); + } + ++$vars->{'token'} = issue_session_token('edit_parameters'); ++ + $template->process("admin/params/editparams.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editproducts.cgi bugzilla-2.22.1/editproducts.cgi +--- bugzilla-2.22/editproducts.cgi 2006-02-28 14:09:46.000000000 -0800 ++++ bugzilla-2.22.1/editproducts.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -41,6 +41,7 @@ + use Bugzilla::Product; + use Bugzilla::Classification; + use Bugzilla::Milestone; ++use Bugzilla::Token; + + # Shut up misguided -w warnings about "used only once". "use vars" just + # doesn't work for me. +@@ -72,6 +73,7 @@ + my $product_name = trim($cgi->param('product') || ''); + my $action = trim($cgi->param('action') || ''); + my $showbugcounts = (defined $cgi->param('showbugcounts')); ++my $token = $cgi->param('token'); + + # + # product = '' -> Show nice list of classifications (if +@@ -132,6 +134,8 @@ + Bugzilla::Classification::check_classification($classification_name); + $vars->{'classification'} = $classification; + } ++ $vars->{'token'} = issue_session_token('add_product'); ++ + $template->process("admin/products/create.html.tmpl", $vars) + || ThrowTemplateError($template->error()); + +@@ -144,7 +148,7 @@ + # + + if ($action eq 'new') { +- ++ check_token_data($token, 'add_product'); + # Cleanups and validity checks + + my $classification_id = 1; +@@ -245,7 +249,7 @@ + + my $gid = $dbh->bz_last_key('groups', 'id'); + +- # If we created a new group, give the "admin" group priviledges ++ # If we created a new group, give the "admin" group privileges + # initially. + my $admin = GroupNameToId('admin'); + +@@ -307,6 +311,7 @@ + } + # Make versioncache flush + unlink "$datadir/versioncache"; ++ delete_token($token); + + $vars->{'product'} = $product; + +@@ -341,6 +346,7 @@ + } + + $vars->{'product'} = $product; ++ $vars->{'token'} = issue_session_token('delete_product'); + + $template->process("admin/products/confirm-delete.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +@@ -352,6 +358,7 @@ + # + + if ($action eq 'delete') { ++ check_token_data($token, 'delete_product'); + # First make sure the product name is valid. + my $product = Bugzilla::Product::check_product($product_name); + +@@ -414,6 +421,7 @@ + $dbh->bz_unlock_tables(); + + unlink "$datadir/versioncache"; ++ delete_token($token); + + $template->process("admin/products/deleted.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +@@ -469,9 +477,9 @@ + } + } + $vars->{'group_controls'} = $group_controls; +- + $vars->{'product'} = $product; +- ++ $vars->{'token'} = issue_session_token('edit_product'); ++ + $template->process("admin/products/edit.html.tmpl", $vars) + || ThrowTemplateError($template->error()); + +@@ -483,6 +491,7 @@ + # + + if ($action eq 'updategroupcontrols') { ++ check_token_data($token, 'edit_group_controls'); + # First make sure the product name is valid. + my $product = Bugzilla::Product::check_product($product_name); + +@@ -724,10 +733,10 @@ + } + $dbh->bz_unlock_tables(); + +- $vars->{'removed_na'} = \@removed_na; ++ delete_token($token); + ++ $vars->{'removed_na'} = \@removed_na; + $vars->{'added_mandatory'} = \@added_mandatory; +- + $vars->{'product'} = $product; + + $template->process("admin/products/groupcontrol/updated.html.tmpl", $vars) +@@ -739,7 +748,7 @@ + # action='update' -> update the product + # + if ($action eq 'update') { +- ++ check_token_data($token, 'edit_product'); + my $product_old_name = trim($cgi->param('product_old_name') || ''); + my $description = trim($cgi->param('description') || ''); + my $disallownew = trim($cgi->param('disallownew') || ''); +@@ -974,8 +983,9 @@ + } + + $vars->{'confirmedbugs'} = \@updated_bugs; +- $vars->{'changer'} = $whoid; ++ $vars->{'changer'} = $user->login; + } ++ delete_token($token); + + $vars->{'old_product'} = $product_old; + $vars->{'product'} = $product; +@@ -1018,6 +1028,7 @@ + + $vars->{'product'} = $product; + $vars->{'groups'} = $groups; ++ $vars->{'token'} = issue_session_token('edit_group_controls'); + + $vars->{'const'} = { + 'CONTROLMAPNA' => CONTROLMAPNA, +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editsettings.cgi bugzilla-2.22.1/editsettings.cgi +--- bugzilla-2.22/editsettings.cgi 2005-10-24 16:11:55.000000000 -0700 ++++ bugzilla-2.22.1/editsettings.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -22,6 +22,7 @@ + use Bugzilla; + use Bugzilla::Constants; + use Bugzilla::User::Setting; ++use Bugzilla::Token; + + require "globals.pl"; + +@@ -79,9 +80,12 @@ + object => "settings"}); + + my $action = trim($cgi->param('action') || 'load'); ++my $token = $cgi->param('token'); + + if ($action eq 'update') { ++ check_token_data($token, 'edit_settings'); + SaveSettings(); ++ delete_token($token); + $vars->{'changes_saved'} = 1; + + $template->process("admin/settings/updated.html.tmpl", $vars) +@@ -92,6 +96,7 @@ + + if ($action eq 'load') { + LoadSettings(); ++ $vars->{'token'} = issue_session_token('edit_settings'); + + $template->process("admin/settings/edit.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editusers.cgi bugzilla-2.22.1/editusers.cgi +--- bugzilla-2.22/editusers.cgi 2006-01-03 00:40:45.000000000 -0800 ++++ bugzilla-2.22.1/editusers.cgi 2006-10-14 15:05:54.000000000 -0700 +@@ -31,6 +31,7 @@ + use Bugzilla::Util; + use Bugzilla::Field; + use Bugzilla::Group; ++use Bugzilla::Token; + + my $user = Bugzilla->login(LOGIN_REQUIRED); + +@@ -55,6 +56,7 @@ + my $action = $cgi->param('action') || 'search'; + my $otherUserID = $cgi->param('userid'); + my $otherUserLogin = $cgi->param('user'); ++my $token = $cgi->param('token'); + + # Prefill template vars with data used in all or nearly all templates + $vars->{'editusers'} = $editusers; +@@ -168,6 +170,8 @@ + action => "add", + object => "users"}); + ++ $vars->{'token'} = issue_session_token('add_user'); ++ + $template->process('admin/users/create.html.tmpl', $vars) + || ThrowTemplateError($template->error()); + +@@ -177,6 +181,7 @@ + action => "add", + object => "users"}); + ++ check_token_data($token, 'add_user'); + my $login = $cgi->param('login'); + my $password = $cgi->param('password'); + my $realname = trim($cgi->param('name') || ''); +@@ -212,6 +217,10 @@ + $dbh->bz_unlock_tables(); + userDataToVars($new_user_id); + ++ delete_token($token); ++ ++ # We already display the updated page. We have to recreate a token now. ++ $vars->{'token'} = issue_session_token('edit_user'); + $vars->{'message'} = 'account_created'; + $template->process('admin/users/edit.html.tmpl', $vars) + || ThrowTemplateError($template->error()); +@@ -223,6 +232,7 @@ + + ########################################################################### + } elsif ($action eq 'update') { ++ check_token_data($token, 'edit_user'); + my $otherUser = check_user($otherUserID, $otherUserLogin); + $otherUserID = $otherUser->id; + +@@ -403,6 +413,7 @@ + + # XXX: userDataToVars may be off when editing ourselves. + userDataToVars($otherUserID); ++ delete_token($token); + + $vars->{'message'} = 'account_updated'; + $vars->{'loginold'} = $loginold; +@@ -411,6 +422,9 @@ + $vars->{'groups_removed_from'} = \@groupsRemovedFrom; + $vars->{'groups_granted_rights_to_bless'} = \@groupsGrantedRightsToBless; + $vars->{'groups_denied_rights_to_bless'} = \@groupsDeniedRightsToBless; ++ # We already display the updated page. We have to recreate a token now. ++ $vars->{'token'} = issue_session_token('edit_user'); ++ + $template->process('admin/users/edit.html.tmpl', $vars) + || ThrowTemplateError($template->error()); + +@@ -484,12 +498,14 @@ + AND mailto_type = ? + }, + undef, ($otherUserID, MAILTO_USER)); ++ $vars->{'token'} = issue_session_token('delete_user'); + + $template->process('admin/users/confirm-delete.html.tmpl', $vars) + || ThrowTemplateError($template->error()); + + ########################################################################### + } elsif ($action eq 'delete') { ++ check_token_data($token, 'delete_user'); + my $otherUser = check_user($otherUserID, $otherUserLogin); + $otherUserID = $otherUser->id; + +@@ -703,6 +719,7 @@ + $dbh->do('DELETE FROM profiles WHERE userid = ?', undef, $otherUserID); + + $dbh->bz_unlock_tables(); ++ delete_token($token); + + $vars->{'message'} = 'account_deleted'; + $vars->{'otheruser'}{'login'} = $otherUser->login; +@@ -826,6 +843,7 @@ + object => "user"}); + + userDataToVars($otherUser->id); ++ $vars->{'token'} = issue_session_token('edit_user'); + + $template->process('admin/users/edit.html.tmpl', $vars) + || ThrowTemplateError($template->error()); +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editvalues.cgi bugzilla-2.22.1/editvalues.cgi +--- bugzilla-2.22/editvalues.cgi 2005-10-23 17:44:10.000000000 -0700 ++++ bugzilla-2.22.1/editvalues.cgi 2006-10-14 15:05:55.000000000 -0700 +@@ -27,6 +27,7 @@ + use Bugzilla::Error; + use Bugzilla::Constants; + use Bugzilla::Config qw(:DEFAULT :admin :locations); ++use Bugzilla::Token; + + # List of different tables that contain the changeable field values + # (the old "enums.") Keep them in alphabetical order by their +@@ -107,7 +108,7 @@ + exists Bugzilla->user->groups->{'editcomponents'} || + ThrowUserError('auth_failure', {group => "editcomponents", + action => "edit", +- object => "field values"}); ++ object => "field_values"}); + + # + # often-used variables +@@ -116,6 +117,7 @@ + my $value = trim($cgi->param('value') || ''); + my $sortkey = trim($cgi->param('sortkey') || '0'); + my $action = trim($cgi->param('action') || ''); ++my $token = $cgi->param('token'); + + # Gives the name of the parameter associated with the field + # and representing its default value. +@@ -175,6 +177,8 @@ + + $vars->{'value'} = $value; + $vars->{'field'} = $field; ++ $vars->{'token'} = issue_session_token('add_field_value'); ++ + $template->process("admin/fieldvalues/create.html.tmpl", + $vars) + || ThrowTemplateError($template->error()); +@@ -187,6 +191,7 @@ + # action='new' -> add field value entered in the 'action=add' screen + # + if ($action eq 'new') { ++ check_token_data($token, 'add_field_value'); + FieldMustExist($field); + trick_taint($field); + +@@ -218,6 +223,7 @@ + $sth->execute($value, $sortkey); + + unlink "$datadir/versioncache"; ++ delete_token($token); + + $vars->{'value'} = $value; + $vars->{'field'} = $field; +@@ -248,6 +254,8 @@ + $vars->{'value'} = $value; + $vars->{'field'} = $field; + $vars->{'param_name'} = $defaults{$field}; ++ $vars->{'token'} = issue_session_token('delete_field_value'); ++ + $template->process("admin/fieldvalues/confirm-delete.html.tmpl", + $vars) + || ThrowTemplateError($template->error()); +@@ -260,6 +268,7 @@ + # action='delete' -> really delete the field value + # + if ($action eq 'delete') { ++ check_token_data($token, 'delete_field_value'); + ValueMustExist($field, $value); + if ($value eq Param($defaults{$field})) { + ThrowUserError('fieldvalue_is_default', {field => $field, +@@ -288,6 +297,7 @@ + $dbh->bz_unlock_tables(); + + unlink "$datadir/versioncache"; ++ delete_token($token); + + $vars->{'value'} = $value; + $vars->{'field'} = $field; +@@ -312,6 +322,7 @@ + + $vars->{'value'} = $value; + $vars->{'field'} = $field; ++ $vars->{'token'} = issue_session_token('edit_field_value'); + + $template->process("admin/fieldvalues/edit.html.tmpl", + $vars) +@@ -325,6 +336,7 @@ + # action='update' -> update the field value + # + if ($action eq 'update') { ++ check_token_data($token, 'edit_field_value'); + my $valueold = trim($cgi->param('valueold') || ''); + my $sortkeyold = trim($cgi->param('sortkeyold') || '0'); + +@@ -396,6 +408,7 @@ + unlink "$datadir/versioncache"; + $vars->{'default_value_updated'} = 1; + } ++ delete_token($token); + + $vars->{'value'} = $value; + $vars->{'field'} = $field; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editversions.cgi bugzilla-2.22.1/editversions.cgi +--- bugzilla-2.22/editversions.cgi 2005-12-29 14:55:59.000000000 -0800 ++++ bugzilla-2.22.1/editversions.cgi 2006-10-14 15:05:55.000000000 -0700 +@@ -21,7 +21,7 @@ + # Contributor(s): Holger Schurig + # Terry Weissman + # Gavin Shelley +-# Frdric Buclin ++# Frédéric Buclin + # + # + # Direct any questions on this source code to +@@ -37,6 +37,7 @@ + use Bugzilla::Config qw(:DEFAULT $datadir); + use Bugzilla::Product; + use Bugzilla::Version; ++use Bugzilla::Token; + + my $cgi = Bugzilla->cgi; + my $dbh = Bugzilla->dbh; +@@ -63,6 +64,7 @@ + my $version_name = trim($cgi->param('version') || ''); + my $action = trim($cgi->param('action') || ''); + my $showbugcounts = (defined $cgi->param('showbugcounts')); ++my $token = $cgi->param('token'); + + # + # product = '' -> Show nice list of products +@@ -110,7 +112,7 @@ + # + + if ($action eq 'add') { +- ++ $vars->{'token'} = issue_session_token('add_version'); + $vars->{'product'} = $product->name; + $template->process("admin/versions/create.html.tmpl", + $vars) +@@ -126,8 +128,8 @@ + # + + if ($action eq 'new') { +- +- # Cleanups and valididy checks ++ check_token_data($token, 'add_version'); ++ # Cleanups and validity checks + $version_name || ThrowUserError('version_blank_name'); + + # Remove unprintable characters +@@ -147,6 +149,7 @@ + + # Make versioncache flush + unlink "$datadir/versioncache"; ++ delete_token($token); + + $vars->{'name'} = $version_name; + $vars->{'product'} = $product->name; +@@ -175,6 +178,8 @@ + $vars->{'bug_count'} = $bugs; + $vars->{'name'} = $version->name; + $vars->{'product'} = $product->name; ++ $vars->{'token'} = issue_session_token('delete_version'); ++ + $template->process("admin/versions/confirm-delete.html.tmpl", + $vars) + || ThrowTemplateError($template->error()); +@@ -189,7 +194,7 @@ + # + + if ($action eq 'delete') { +- ++ check_token_data($token, 'delete_version'); + my $version = Bugzilla::Version::check_version($product, + $version_name); + +@@ -204,6 +209,7 @@ + undef, ($product->id, $version->name)); + + unlink "$datadir/versioncache"; ++ delete_token($token); + + $vars->{'name'} = $version->name; + $vars->{'product'} = $product->name; +@@ -228,6 +234,7 @@ + + $vars->{'name'} = $version->name; + $vars->{'product'} = $product->name; ++ $vars->{'token'} = issue_session_token('edit_version'); + + $template->process("admin/versions/edit.html.tmpl", + $vars) +@@ -243,7 +250,7 @@ + # + + if ($action eq 'update') { +- ++ check_token_data($token, 'edit_version'); + $version_name || ThrowUserError('version_not_specified'); + + # Remove unprintable characters +@@ -288,7 +295,8 @@ + $vars->{'updated_name'} = 1; + } + +- $dbh->bz_unlock_tables(); ++ $dbh->bz_unlock_tables(); ++ delete_token($token); + + $vars->{'name'} = $version_name; + $vars->{'product'} = $product->name; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editwhines.cgi bugzilla-2.22.1/editwhines.cgi +--- bugzilla-2.22/editwhines.cgi 2006-02-02 11:04:03.000000000 -0800 ++++ bugzilla-2.22.1/editwhines.cgi 2006-10-14 15:05:55.000000000 -0700 +@@ -33,6 +33,8 @@ + use Bugzilla::Constants; + use Bugzilla::User; + use Bugzilla::Group; ++use Bugzilla::Token; ++ + # require the user to have logged in + my $user = Bugzilla->login(LOGIN_REQUIRED); + +@@ -46,7 +48,7 @@ + my $dbh = Bugzilla->dbh; + + my $userid = $user->id; +- ++my $token = $cgi->param('token'); + my $sth; # database statement handle + + # $events is a hash ref, keyed by event id, that stores the active user's +@@ -83,6 +85,7 @@ + # removed, then what was altered. + + if ($cgi->param('update')) { ++ check_token_data($token, 'edit_whine'); + if ($cgi->param("add_event")) { + # we create a new event + $sth = $dbh->prepare("INSERT INTO whine_events " . +@@ -346,6 +349,7 @@ + } + } + } ++ delete_token($token); + } + + $vars->{'mail_others'} = $can_mail_others; +@@ -433,6 +437,7 @@ + while (my ($query) = $sth->fetchrow_array) { + push @{$vars->{'available_queries'}}, $query; + } ++$vars->{'token'} = issue_session_token('edit_whine'); + + $template->process("whine/schedule.html.tmpl", $vars) + || ThrowTemplateError($template->error()); +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/enter_bug.cgi bugzilla-2.22.1/enter_bug.cgi +--- bugzilla-2.22/enter_bug.cgi 2006-01-05 06:54:52.000000000 -0800 ++++ bugzilla-2.22.1/enter_bug.cgi 2006-08-21 12:26:06.000000000 -0700 +@@ -198,10 +198,11 @@ + /\(.*PPC.*\)/ && do {@platform = "Macintosh"; last;}; + /\(.*AIX.*\)/ && do {@platform = "Macintosh"; last;}; + #Intel x86 ++ /\(.*Intel.*\)/ && do {@platform = "PC"; last;}; + /\(.*[ix0-9]86.*\)/ && do {@platform = "PC"; last;}; + #Versions of Windows that only run on Intel x86 +- /\(.*Win(?:dows )[39M].*\)/ && do {@platform = "PC"; last}; +- /\(.*Win(?:dows )16.*\)/ && do {@platform = "PC"; last;}; ++ /\(.*Win(?:dows |)[39M].*\)/ && do {@platform = "PC"; last}; ++ /\(.*Win(?:dows |)16.*\)/ && do {@platform = "PC"; last;}; + #Sparc + /\(.*sparc.*\)/ && do {@platform = "Sun"; last;}; + /\(.*sun4.*\)/ && do {@platform = "Sun"; last;}; +@@ -274,11 +275,11 @@ + /\(.*Windows 2000.*\)/ && do {@os = "Windows 2000"; last;}; + /\(.*Windows NT 5.*\)/ && do {@os = "Windows 2000"; last;}; + /\(.*Win.*9[8x].*4\.9.*\)/ && do {@os = "Windows ME"; last;}; +- /\(.*Win(?:dows )M[Ee].*\)/ && do {@os = "Windows ME"; last;}; +- /\(.*Win(?:dows )98.*\)/ && do {@os = "Windows 98"; last;}; +- /\(.*Win(?:dows )95.*\)/ && do {@os = "Windows 95"; last;}; +- /\(.*Win(?:dows )16.*\)/ && do {@os = "Windows 3.1"; last;}; +- /\(.*Win(?:dows[ -])NT.*\)/ && do {@os = "Windows NT"; last;}; ++ /\(.*Win(?:dows |)M[Ee].*\)/ && do {@os = "Windows ME"; last;}; ++ /\(.*Win(?:dows |)98.*\)/ && do {@os = "Windows 98"; last;}; ++ /\(.*Win(?:dows |)95.*\)/ && do {@os = "Windows 95"; last;}; ++ /\(.*Win(?:dows |)16.*\)/ && do {@os = "Windows 3.1"; last;}; ++ /\(.*Win(?:dows[ -]|)NT.*\)/ && do {@os = "Windows NT"; last;}; + /\(.*Windows.*NT.*\)/ && do {@os = "Windows NT"; last;}; + /\(.*32bit.*\)/ && do {@os = "Windows 95"; last;}; + /\(.*16bit.*\)/ && do {@os = "Windows 3.1"; last;}; +diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/globals.pl bugzilla-2.22.1/globals.pl +--- bugzilla-2.22/globals.pl 2006-01-09 10:59:53.000000000 -0800 ++++ bugzilla-2.22.1/globals.pl 2006-10-14 13:30:53.000000000 -0700 +@@ -401,6 +401,8 @@ + } elsif ((defined $matchpassword) && ($password ne $matchpassword)) { + ThrowUserError("passwords_dont_match"); + } ++ # Having done these checks makes us consider the password untainted. ++ trick_taint($_[0]); + } + + sub DBID_to_name { +@@ -493,7 +495,7 @@ + # bug refs out, so we have to do replacements. + # mailto can't contain space or #, so we don't have to bother for that + # Do this by escaping \0 to \1\0, and replacing matches with \0\0$count\0\0 +- # \0 is used because its unliklely to occur in the text, so the cost of ++ # \0 is used because its unlikely to occur in the text, so the cost of + # doing this should be very small + # Also, \0 won't appear in the value_quote'd bug title, so we don't have + # to worry about bogus substitutions from there +@@ -506,7 +508,7 @@ + # In particular, attachment matches go before bug titles, so that titles + # with 'attachment 1' don't double match. + # Dupe checks go afterwards, because that uses ^ and \Z, which won't occur +- # if it was subsituted as a bug title (since that always involve leading ++ # if it was substituted as a bug title (since that always involve leading + # and trailing text) + + # Because of entities, its easier (and quicker) to do this before escaping +@@ -516,7 +518,8 @@ + my $tmp; + + # non-mailto protocols +- my $protocol_re = qr/(afs|cid|ftp|gopher|http|https|irc|mid|news|nntp|prospero|telnet|view-source|wais)/i; ++ my $safe_protocols = join('|', SAFE_PROTOCOLS); ++ my $protocol_re = qr/($safe_protocols)/i; + + $text =~ s~\b(${protocol_re}: # The protocol: + [^\s<>\"]+ # Any non-whitespace +@@ -623,12 +626,12 @@ + my ($title, $className) = @{$::attachlink{$attachid}}; + # $title will be undefined if the attachment didn't exist in the database. + if (defined $title) { +- $link_text =~ s/ \[edit\]$//; ++ $link_text =~ s/ \[details\]$//; + my $linkval = "attachment.cgi?id=$attachid&action="; + # Whitespace matters here because these links are in 
     tags.
+         return qq||
+                . qq|$link_text|
+-               . qq| [edit]|
++               . qq| [details]|
+                . qq||;
+     }
+     else {
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/importxml.pl bugzilla-2.22.1/importxml.pl
+--- bugzilla-2.22/importxml.pl	2006-04-19 15:27:08.000000000 -0700
++++ bugzilla-2.22.1/importxml.pl	2006-07-13 12:06:15.000000000 -0700
+@@ -100,11 +100,13 @@
+ 
+ my $debug = 0;
+ my $mail  = '';
++my $attach_path = '';
+ my $help  = 0;
+ 
+ my $result = GetOptions(
+     "verbose|debug+" => \$debug,
+     "mail|sendmail!" => \$mail,
++    "attach_path=s"  => \$attach_path,
+     "help|?"         => \$help
+ );
+ 
+@@ -377,7 +379,7 @@
+ # This subroutine is called once for each attachment in the xml file.
+ # It is called as soon as the closing  tag is parsed.
+ # Since attachments have the potential to be very large, and
+-# since each attachement will be inside .. tags we shove
++# since each attachment will be inside .. tags we shove
+ # the attachment onto an array which will be processed by process_bug
+ # and then disposed of. The attachment array will then contain only
+ # one bugs' attachments at a time.
+@@ -401,14 +403,24 @@
+     $attachment{'isprivate'}  = $attach->{'att'}->{'isprivate'} || 0;
+     $attachment{'filename'}   = $attach->field('filename') || "file";
+     # Attachment data is not exported in versions 2.20 and older.
+-    if (defined $attach->first_child('data')
+-        && defined $attach->first_child('data')->{'att'}->{'encoding'}
+-        && $attach->first_child('data')->{'att'}->{'encoding'} =~ /base64/ )
+-    {
+-        # decode the base64
+-        my $data   = $attach->field('data');
+-        my $output = decode_base64($data);
+-        $attachment{'data'} = $output;
++    if (defined $attach->first_child('data') &&
++            defined $attach->first_child('data')->{'att'}->{'encoding'}) {
++        my $encoding = $attach->first_child('data')->{'att'}->{'encoding'};
++        if ($encoding =~ /base64/) {
++            # decode the base64
++            my $data   = $attach->field('data');
++            my $output = decode_base64($data);
++            $attachment{'data'} = $output;
++        }
++        elsif ($encoding =~ /filename/) {
++            # read the attachment file
++            Error("attach_path is required", undef) unless ($attach_path);
++            my $attach_filename = $attach_path . "/" . $attach->field('data');
++            open(ATTACH_FH, $attach_filename) or
++                Error("cannot open $attach_filename", undef);
++            $attachment{'data'} = do { local $/;  };
++            close ATTACH_FH;
++        }
+     }
+     else {
+         $attachment{'data'} = $attach->field('data');
+@@ -534,8 +546,8 @@
+             $data = decode_base64($data);
+         }
+ 
+-        # If we leave the attachemnt ID in the comment it will be made a link
+-        # to the wrong attachment. Since the new attachment ID is unkown yet
++        # If we leave the attachment ID in the comment it will be made a link
++        # to the wrong attachment. Since the new attachment ID is unknown yet
+         # let's strip it out for now. We will make a comment with the right ID
+         # later
+         $data =~ s/Created an attachment \(id=\d+\)/Created an attachment/g;
+@@ -1248,6 +1260,8 @@
+        -v --verbose     print error and debug information. 
+                         Mulltiple -v increases verbosity
+        -m --sendmail    send mail to recipients with log of bugs imported
++       --attach_path    The path to the attachment files.
++                        (Required if encoding="filename" is used for attachments.)
+ 
+ =head1 OPTIONS
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/post_bug.cgi bugzilla-2.22.1/post_bug.cgi
+--- bugzilla-2.22/post_bug.cgi	2006-01-08 11:56:03.000000000 -0800
++++ bugzilla-2.22.1/post_bug.cgi	2006-07-04 02:51:56.000000000 -0700
+@@ -171,19 +171,19 @@
+     }
+ }
+ 
+-if (UserInGroup("editbugs") || UserInGroup("canconfirm")) {
+-    # Default to NEW if the user hasn't selected another status
+-    if (!defined $cgi->param('bug_status')) {
+-        $cgi->param(-name => 'bug_status', -value => "NEW");
++my $votes_to_confirm = $dbh->selectrow_array('SELECT votestoconfirm
++                                              FROM products WHERE id = ?',
++                                              undef, $product_id);
++my $bug_status = 'UNCONFIRMED';
++if ($votes_to_confirm) {
++    # Default to NEW if the user with privs hasn't selected another status.
++    if (UserInGroup('editbugs') || UserInGroup('canconfirm')) {
++        $bug_status = scalar($cgi->param('bug_status')) || 'NEW';
+     }
+ } else {
+-    # Default to UNCONFIRMED if we are using it, NEW otherwise
+-    $cgi->param(-name => 'bug_status', -value => 'UNCONFIRMED');
+-    SendSQL("SELECT votestoconfirm FROM products WHERE id = $product_id");
+-    if (!FetchOneColumn()) {   
+-        $cgi->param(-name => 'bug_status', -value => "NEW");
+-    }
++    $bug_status = 'NEW';
+ }
++$cgi->param(-name => 'bug_status', -value => $bug_status);
+ 
+ if (!defined $cgi->param('target_milestone')) {
+     SendSQL("SELECT defaultmilestone FROM products WHERE name=$sql_product");
+@@ -289,7 +289,7 @@
+         foreach my $id (split(/[\s,]+/, $cgi->param($field))) {
+             next unless $id;
+             # $field is not passed to ValidateBugID to prevent adding new 
+-            # dependencies on inacessible bugs.
++            # dependencies on inaccessible bugs.
+             ValidateBugID($id);
+             push(@validvalues, $id);
+         }
+@@ -438,7 +438,7 @@
+     if (@keywordlist) {
+         # Make sure that we have the correct case for the kw
+         SendSQL("SELECT name FROM keyworddefs WHERE id IN ( " .
+-                join(',', @keywordlist) . ")");
++                join(',', @keywordlist) . ") ORDER BY name");
+         my @list;
+         while (MoreSQLData()) {
+             push (@list, FetchOneColumn());
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/process_bug.cgi bugzilla-2.22.1/process_bug.cgi
+--- bugzilla-2.22/process_bug.cgi	2006-02-07 14:25:23.000000000 -0800
++++ bugzilla-2.22.1/process_bug.cgi	2006-06-19 09:41:03.000000000 -0700
+@@ -225,7 +225,7 @@
+     }
+ }
+ 
+-# Set up the vars for nagiavtional  elements
++# Set up the vars for navigational  elements
+ my @bug_list;
+ if ($cgi->cookie("BUGLIST") && defined $cgi->param('id')) {
+     @bug_list = split(/:/, $cgi->cookie("BUGLIST"));
+@@ -1789,8 +1789,7 @@
+                     shift @oldlist;
+                 } else {
+                     if ($oldlist[0] != $newlist[0]) {
+-                        $dbh->bz_unlock_tables(UNLOCK_ABORT);
+-                        die "Error in list comparing code";
++                        ThrowCodeError('list_comparison_error');
+                     }
+                     shift @oldlist;
+                     shift @newlist;
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/relogin.cgi bugzilla-2.22.1/relogin.cgi
+--- bugzilla-2.22/relogin.cgi	2006-04-06 15:21:00.000000000 -0700
++++ bugzilla-2.22.1/relogin.cgi	2006-10-14 15:05:55.000000000 -0700
+@@ -62,7 +62,7 @@
+     }
+ 
+     # Keep a temporary record of the user visiting this page
+-    $vars->{'token'} = Bugzilla::Token::IssueSessionToken('sudo_prepared');
++    $vars->{'token'} = issue_session_token('sudo_prepared');
+ 
+     # Show the sudo page
+     $vars->{'target_login_default'} = $cgi->param('target_login');
+@@ -124,7 +124,7 @@
+                        { target_login => scalar $cgi->param('target_login'),
+                                reason => scalar $cgi->param('reason')});
+     }
+-    Bugzilla::Token::DeleteToken($cgi->param('token'));
++    delete_token($cgi->param('token'));
+ 
+     # Get & verify the target user (the user who we will be impersonating)
+     my $target_user = 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/reports.cgi bugzilla-2.22.1/reports.cgi
+--- bugzilla-2.22/reports.cgi	2005-10-24 16:11:55.000000000 -0700
++++ bugzilla-2.22.1/reports.cgi	2006-06-03 12:53:59.000000000 -0700
+@@ -233,7 +233,8 @@
+     # and number
+ 
+     if ($datasets !~ m/^[A-Za-z0-9:]+$/) {
+-        die "Invalid datasets $datasets";
++        $vars->{'datasets'} = $datasets;
++        ThrowUserError('invalid_datasets', $vars);
+     }
+ 
+     # Since we pass the tests, consider it OK
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/request.cgi bugzilla-2.22.1/request.cgi
+--- bugzilla-2.22/request.cgi	2006-03-08 13:40:34.000000000 -0800
++++ bugzilla-2.22.1/request.cgi	2006-10-14 14:07:19.000000000 -0700
+@@ -73,11 +73,6 @@
+     my $status = validateStatus($cgi->param('status'));
+     my $form_group = validateGroup($cgi->param('group'));
+ 
+-    my $attach_join_clause = "flags.attach_id = attachments.attach_id";
+-    if (Param("insidergroup") && !UserInGroup(Param("insidergroup"))) {
+-        $attach_join_clause .= " AND attachments.isprivate < 1";
+-    }
+-
+     my $query = 
+     # Select columns describing each flag, the bug/attachment on which
+     # it has been set, who set it, and of whom they are requesting it.
+@@ -98,7 +93,7 @@
+     "
+       FROM           flags 
+            LEFT JOIN attachments
+-                  ON ($attach_join_clause)
++                  ON flags.attach_id = attachments.attach_id
+           INNER JOIN flagtypes
+                   ON flags.type_id = flagtypes.id
+           INNER JOIN profiles AS requesters
+@@ -127,7 +122,13 @@
+                  (bugs.assigned_to = $userid) " .
+                  (Param('useqacontact') ? "OR
+                  (bugs.qa_contact = $userid))" : ")");
+-    
++
++    unless ($user->is_insider) {
++        $query .= " AND (attachments.attach_id IS NULL
++                         OR attachments.isprivate = 0
++                         OR attachments.submitter_id = $userid)";
++    }
++
+     # Non-deleted flags only
+     $query .= " AND flags.is_active = 1 ";
+     
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/sanitycheck.cgi bugzilla-2.22.1/sanitycheck.cgi
+--- bugzilla-2.22/sanitycheck.cgi	2006-01-16 02:29:18.000000000 -0800
++++ bugzilla-2.22.1/sanitycheck.cgi	2006-06-07 14:39:12.000000000 -0700
+@@ -249,7 +249,7 @@
+ # Remove all references to deleted bugs
+ ###########################################################################
+ 
+-if (defined $cgi->param('remove_invalid_references')) {
++if (defined $cgi->param('remove_invalid_bug_references')) {
+     Status("OK, now removing all references to deleted bugs.");
+ 
+     $dbh->bz_lock_tables('attachments WRITE', 'bug_group_map WRITE',
+@@ -280,6 +280,30 @@
+     Status("All references to deleted bugs have been removed.");
+ }
+ 
++###########################################################################
++# Remove all references to deleted attachments
++###########################################################################
++
++if (defined $cgi->param('remove_invalid_attach_references')) {
++    Status("OK, now removing all references to deleted attachments.");
++
++    $dbh->bz_lock_tables('attachments WRITE', 'attach_data WRITE');
++
++    my $attach_ids =
++        $dbh->selectcol_arrayref('SELECT attach_data.id
++                                    FROM attach_data
++                               LEFT JOIN attachments
++                                      ON attachments.attach_id = attach_data.id
++                                   WHERE attachments.attach_id IS NULL');
++
++    if (scalar(@$attach_ids)) {
++        $dbh->do('DELETE FROM attach_data WHERE id IN (' .
++                 join(',', @$attach_ids) . ')');
++    }
++
++    $dbh->bz_unlock_tables();
++    Status("All references to deleted attachments have been removed.");
++}
+ 
+ print "OK, now running sanity checks.
    \n";
+ 
+@@ -345,7 +369,13 @@
+         }
+         # References to non existent bugs can be safely removed, bug 288461
+         if ($table eq 'bugs' && $has_bad_references) {
+-            print qq{Remove invalid references to non existent bugs.
    \n};
++            print qq{
++                     Remove invalid references to non existent bugs.
    \n};
++        }
++        # References to non existent attachments can be safely removed.
++        if ($table eq 'attachments' && $has_bad_references) {
++            print qq{
++                     Remove invalid references to non existent attachments.
    \n};
+         }
+     }
+ }
+@@ -450,6 +480,9 @@
+            ['whine_queries', 'eventid'],
+            ['whine_schedules', 'eventid']);
+ 
++CrossCheck('attachments', 'attach_id',
++           ['attach_data', 'id']);
++
+ ###########################################################################
+ # Perform double field referential (cross) checks
+ ###########################################################################
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/show_bug.cgi bugzilla-2.22.1/show_bug.cgi
+--- bugzilla-2.22/show_bug.cgi	2005-10-30 13:31:28.000000000 -0800
++++ bugzilla-2.22.1/show_bug.cgi	2006-10-14 14:45:51.000000000 -0700
+@@ -117,7 +117,7 @@
+ }
+ 
+ unless (UserInGroup(Param("timetrackinggroup"))) {
+-    @fieldlist = grep($_ !~ /_time$/, @fieldlist);
++    @fieldlist = grep($_ !~ /(^deadline|_time)$/, @fieldlist);
+ }
+ 
+ foreach (@fieldlist) {
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/showdependencygraph.cgi bugzilla-2.22.1/showdependencygraph.cgi
+--- bugzilla-2.22/showdependencygraph.cgi	2006-02-07 01:22:25.000000000 -0800
++++ bugzilla-2.22.1/showdependencygraph.cgi	2006-10-14 14:28:41.000000000 -0700
+@@ -278,7 +278,9 @@
+     }
+ }
+ 
+-$vars->{'bug_id'} = $cgi->param('id');
++# Make sure we only include valid integers (protects us from XSS attacks).
++my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id')));
++$vars->{'bug_id'} = join(', ', @bugs);
+ $vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/);
+ $vars->{'doall'} = $cgi->param('doall');
+ $vars->{'rankdir'} = $rankdir;
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/showdependencytree.cgi bugzilla-2.22.1/showdependencytree.cgi
+--- bugzilla-2.22/showdependencytree.cgi	2006-01-06 06:38:35.000000000 -0800
++++ bugzilla-2.22.1/showdependencytree.cgi	2006-10-11 15:40:31.000000000 -0700
+@@ -45,7 +45,7 @@
+ 
+ # Make sure the bug ID is a positive integer representing an existing
+ # bug that the user is authorized to access.
+-my $id = $cgi->param('id');
++my $id = $cgi->param('id') || ThrowUserError('invalid_bug_id_or_alias');
+ ValidateBugID($id);
+ 
+ my $hide_resolved = $cgi->param('hide_resolved') ? 1 : 0;
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/skins/standard/editusers.css bugzilla-2.22.1/skins/standard/editusers.css
+--- bugzilla-2.22/skins/standard/editusers.css	2005-02-28 12:41:43.000000000 -0800
++++ bugzilla-2.22.1/skins/standard/editusers.css	2006-10-14 13:30:54.000000000 -0700
+@@ -50,3 +50,8 @@
+     text-align: center;
+     white-space: nowrap;
+ }
++
++.missing {
++    color: red;
++    border-color: inherit;
++}
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/skins/standard/global.css bugzilla-2.22.1/skins/standard/global.css
+--- bugzilla-2.22/skins/standard/global.css	2006-02-21 08:15:16.000000000 -0800
++++ bugzilla-2.22.1/skins/standard/global.css	2006-10-14 15:05:55.000000000 -0700
+@@ -99,8 +99,6 @@
+         font-family: serif;
+         font-weight: bold;
+         font-size: 110%;
+-
+-        white-space: nowrap;
+         padding: 0.2em 1em 0.1em 0.2em;
+     }
+ 
+@@ -162,10 +160,10 @@
+ 
+     #message
+     {
+-    	border: 1px solid red;
++        border: 1px solid red;
+ 
+-    	padding: 0.3em;
+-    	color: green;
++        padding: 0.3em;
++        color: green;
+     }
+ /* header (end)   */
+ 
+@@ -337,3 +335,11 @@
+ }
+ 
+ table#flags th, table#flags td { vertical-align: baseline; text-align: left; }
++
++.throw_error {
++    background-color: #ff0000;
++    color: black;
++    font-size: 120%;
++    margin: 1em;
++    padding: 0.5em 1em;
++}
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/t/008filter.t bugzilla-2.22.1/t/008filter.t
+--- bugzilla-2.22/t/008filter.t	2006-03-06 14:23:35.000000000 -0800
++++ bugzilla-2.22.1/t/008filter.t	2006-10-14 13:30:54.000000000 -0700
+@@ -223,7 +223,7 @@
+     # Note: If a single directive prints two things, and only one is 
+     # filtered, we may not catch that case.
+     return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote|
+-                                        ics|quoteUrls|time|uri|xml|lower|
++                                        ics|quoteUrls|time|uri|xml|lower|html_light|
+                                         obsolete|inactive|closed|unitconvert|
+                                         none)\b/x;
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/t/012throwables.t bugzilla-2.22.1/t/012throwables.t
+--- bugzilla-2.22/t/012throwables.t	2006-04-17 13:48:15.000000000 -0700
++++ bugzilla-2.22.1/t/012throwables.t	2006-05-14 11:51:26.000000000 -0700
+@@ -88,7 +88,7 @@
+             my $errtag = $1;
+             if ($errtag =~ /\s/) {
+                 Register(\%test_templates, $file, 
+-                "has an error definition \"$errtag\" at line $lineno with"
++                "has an error definition \"$errtag\" at line $lineno with "
+                 . "space(s) embedded --ERROR");
+             }
+             else {
+@@ -164,14 +164,26 @@
+ }
+ 
+ sub Register {
+-    my ($hash, $file, $message) = @_;
+-    push @{$hash->{$file}}, $message;
++    my ($hash, $file, $message, $warning) = @_;
++    # If set to 1, $warning will avoid the test to fail.
++    $warning ||= 0;
++    push(@{$hash->{$file}}, {'message' => $message, 'warning' => $warning});
+ }
+ 
+ sub Report {
+     my ($file, @errors) = @_;
+     if (scalar @errors) {
+-        ok(0, "$file has ". scalar @errors ." error(s):\n" . join("\n", @errors));
++        # Do we only have warnings to report or also real errors?
++        my @real_errors = grep {$_->{'warning'} == 0} @errors;
++        # Extract error messages.
++        @errors = map {$_->{'message'}} @errors;
++        if (scalar(@real_errors)) {
++            ok(0, "$file has ". scalar(@errors) ." error(s):\n" . join("\n", @errors));
++        }
++        else {
++            ok(1, "--WARNING $file has " . scalar(@errors) .
++                  " unused error tag(s):\n" . join("\n", @errors));
++        }
+     }
+     else {
+         # This is used for both code and template files, so let's use
+@@ -196,7 +208,7 @@
+         Register(\%test_templates, $file, 
+             "$errtype error tag '$errtag' is defined at line(s) ("
+             . join (',', @{$Errors{$errtype}{$errtag}{defined_in}{$lang}{$file}}) 
+-            . ") but is not used anywhere");
++            . ") but is not used anywhere", 1);
+     }
+ }
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/t/Support/Templates.pm bugzilla-2.22.1/t/Support/Templates.pm
+--- bugzilla-2.22/t/Support/Templates.pm	2005-08-05 16:47:28.000000000 -0700
++++ bugzilla-2.22.1/t/Support/Templates.pm	2006-07-04 15:27:42.000000000 -0700
+@@ -98,6 +98,10 @@
+         my $local_dir = File::Spec->abs2rel($File::Find::dir,
+                                             $File::Find::topdir);
+ 
++        # File::Spec 3.13 and newer return "." instead of "" if both
++        # arguments of abs2rel() are identical.
++        $local_dir = "" if ($local_dir eq ".");
++
+         if ($local_dir) {
+             $filename = File::Spec->catfile($local_dir, $_);
+         } else {
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/auth/login-small.html.tmpl bugzilla-2.22.1/template/en/default/account/auth/login-small.html.tmpl
+--- bugzilla-2.22/template/en/default/account/auth/login-small.html.tmpl	2006-02-20 16:19:25.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/account/auth/login-small.html.tmpl	2006-06-19 11:31:17.000000000 -0700
+@@ -21,7 +21,7 @@
+ 
+ [% PROCESS global/variables.none.tmpl %]
+ 
+-[%# Use the current script name. If an empty name is retuned,
++[%# Use the current script name. If an empty name is returned,
+   # then we are accessing the home page. %]
+ 
+ [% script_name = cgi.url(Relative => 1) %]
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/email.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/email.html.tmpl
+--- bugzilla-2.22/template/en/default/account/prefs/email.html.tmpl	2005-10-31 15:09:28.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/account/prefs/email.html.tmpl	2006-07-13 11:52:14.000000000 -0700
+@@ -275,7 +275,7 @@
+       [% watcher FILTER html %] 
    
+     [% END %]
+   [% ELSE %]
+-    None
++    No one
+   [% END %]
+ 
    
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/footer.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/footer.html.tmpl
+--- bugzilla-2.22/template/en/default/account/prefs/footer.html.tmpl	2004-03-18 13:51:16.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/account/prefs/footer.html.tmpl	1969-12-31 16:00:00.000000000 -0800
+@@ -1,78 +0,0 @@
+-[%# 1.0@bugzilla.org %]
+-[%# The contents of this file are subject to the Mozilla Public
+-  # License Version 1.1 (the "License"); you may not use this file
+-  # except in compliance with the License. You may obtain a copy of
+-  # the License at http://www.mozilla.org/MPL/
+-  #
+-  # Software distributed under the License is distributed on an "AS
+-  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+-  # implied. See the License for the specific language governing
+-  # rights and limitations under the License.
+-  #
+-  # The Original Code is the Bugzilla Bug Tracking System.
+-  #
+-  # The Initial Developer of the Original Code is Netscape Communications
+-  # Corporation. Portions created by Netscape are
+-  # Copyright (C) 1998 Netscape Communications Corporation. All
+-  # Rights Reserved.
+-  #
+-  # Contributor(s): Gervase Markham 
+-  #%]
+-
+-[%# INTERFACE:
+-  # mybugslink: boolean. True if the user wishes the My Bugs link to appear.
+-  # queries: array of hashes. May be empty. Each hash has two members:
+-  #   name:   string. The name of the search.
+-  #   footer: boolean. True if the search appears in the footer.
+-  #%]
+-
+-[% PROCESS global/variables.none.tmpl %]
+-
+-
+-  
+-    
+-    
+-  
+-
+-  
+-  [% IF queries.size %]
+-    [% FOREACH query = queries %]
+-      
+-        
+-        
+-      
+-
+-      
+-    [% END %]
+-
+-  [% ELSE %]
+-    
+-      
+-    
+-  [% END %]
+-
+-
    The 'My [% terms.bugs %]' link:
+-      
+-    
    Your search named '[% query.name FILTER html %]':
+-          
+-        
    
+-        
    
+-        If you create remembered queries using the
+-        search page,
+-        you can then come to this page and choose to have some of them
+-        appear in the footer of each [% terms.Bugzilla %] page.
+-        
    
+-        
    
+-      
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/permissions.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/permissions.html.tmpl
+--- bugzilla-2.22/template/en/default/account/prefs/permissions.html.tmpl	2005-11-19 17:31:36.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/account/prefs/permissions.html.tmpl	2006-10-14 13:30:55.000000000 -0700
+@@ -42,8 +42,8 @@
+         
+           [% FOREACH bit_description = has_bits %]
+             
+-              
+-              
++              
++              
+             
+           [% END %]
+         
    [% bit_description.name %][% bit_description.desc %][% bit_description.name FILTER html %][% bit_description.desc FILTER html_light %]
    
+@@ -63,8 +63,8 @@
+           
+           [% FOREACH bit_description = set_bits %]
+             
+-              
+-              
++              
++              
+             
+           [% END %]
+           
    [% bit_description.name %][% bit_description.desc %][% bit_description.name FILTER html %][% bit_description.desc FILTER html_light %]
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/prefs.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/prefs.html.tmpl
+--- bugzilla-2.22/template/en/default/account/prefs/prefs.html.tmpl	2005-10-28 02:56:54.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/account/prefs/prefs.html.tmpl	2006-06-09 05:15:54.000000000 -0700
+@@ -49,7 +49,7 @@
+               link => "userprefs.cgi?tab=settings", saveable => "1" },
+             { name => "email", label => "Email Preferences", 
+               link => "userprefs.cgi?tab=email", saveable => "1" },
+-            { name => "saved-searches", label => "Saved searches", 
++            { name => "saved-searches", label => "Saved Searches", 
+               link => "userprefs.cgi?tab=saved-searches", saveable => "1" },
+             { name => "permissions", label => "Permissions", 
+               link => "userprefs.cgi?tab=permissions", saveable => "0" } ] %]
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/settings.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/settings.html.tmpl
+--- bugzilla-2.22/template/en/default/account/prefs/settings.html.tmpl	2005-10-28 02:56:54.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/account/prefs/settings.html.tmpl	2006-10-14 13:30:55.000000000 -0700
+@@ -49,8 +49,8 @@
+         
+         
+           [% IF settings.${name}.is_enabled %]
+-            
+           [% ELSE %]
+-            
++              
+             
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/add.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/add.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/classifications/add.html.tmpl	2004-08-20 14:49:18.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/classifications/add.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -37,6 +37,7 @@
+   
    
+   
+   
++  
+ 
+ 
+ 
    Back to the main [% terms.bugs %] page
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/del.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/del.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/classifications/del.html.tmpl	2005-10-13 16:42:43.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/classifications/del.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -36,7 +36,7 @@
+   Description:
+   
+     [% IF classification.description %]
+-      [% classification.description FILTER none %]
++      [% classification.description FILTER html_light %]
+     [% ELSE %]
+       description missing
+     [% END %]
+@@ -52,6 +52,7 @@
+   
+   
+   
++  
+ 
+ 
+ 
    Back to the main [% terms.bugs %] page
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/classifications/edit.html.tmpl	2005-10-17 14:58:51.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/classifications/edit.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -33,7 +33,7 @@
+     
+       Description:
+       
++            [% classification.description FILTER html %]
+       
+     
+     
+@@ -49,7 +49,7 @@
+                 [% product.name FILTER html %]
+                 
+                   [% IF product.description %]
+-                    [% product.description FILTER none %]
++                    [% product.description FILTER html_light %]
+                   [% ELSE %]
+                     description missing
+                   [% END %]
+@@ -67,6 +67,7 @@
+   
+   
++  
+   
+ 
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/reclassify.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/reclassify.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/classifications/reclassify.html.tmpl	2005-10-13 16:42:43.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/classifications/reclassify.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -33,7 +33,7 @@
+       Description:
+       
+         [% IF classification.description %]
+-          [% classification.description FILTER none %]
++          [% classification.description FILTER html_light %]
+         [% ELSE %]
+           description missing
+         [% END %]
+@@ -78,6 +78,7 @@
+ 
+   
+   
++  
+ 
+ 
+ 
    Back to the main [% terms.bugs %] page,
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/select.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/select.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/classifications/select.html.tmpl	2006-01-22 14:53:53.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/classifications/select.html.tmpl	2006-10-14 13:30:55.000000000 -0700
+@@ -36,7 +36,7 @@
+       [% cl.name FILTER html %]
+        
+       [% IF cl.description %]
+-        [% cl.description %]
++        [% cl.description FILTER html_light %]
+       [% ELSE %]
+         none
+       [% END %]
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/components/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/components/confirm-delete.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/components/confirm-delete.html.tmpl	2005-09-06 16:53:59.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/components/confirm-delete.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -44,7 +44,7 @@
+ 
+ 
+   Component Description:
+-  [% comp.description FILTER html %]
++  [% comp.description FILTER html_light %]
+ 
+ 
+   Default assignee:
+@@ -66,7 +66,7 @@
+ 
+ 
+   Product Description:
+-  [% prod.description FILTER html %]
++  [% prod.description FILTER html_light %]
+ [% END %]
+ 
+ [% IF Param('usetargetmilestone') %]
+@@ -150,6 +150,7 @@
+   
+   
+   
++  
+   
+ 
+ [% END %]
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/components/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/components/create.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/components/create.html.tmpl	2006-01-01 13:25:05.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/components/create.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -78,7 +78,7 @@
+   
+   
+   
+-
++  
+ 
+ 
+ [% PROCESS admin/components/footer.html.tmpl %]
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/components/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/components/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/components/edit.html.tmpl	2005-09-06 16:53:59.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/components/edit.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -94,6 +94,7 @@
+    
+    
+    
++   
+     or 
++  #%]
++
++[%# INTERFACE:
++  # abuser: identity of the user who created the (invalid?) token.
++  # token_action: the action the token was supposed to serve.
++  # expected_action: the action the user was going to do.
++  # script_name: the script generating this warning.
++  #%]
++
++[% PROCESS "global/field-descs.none.tmpl" %]
++
++[% PROCESS global/header.html.tmpl title = "Suspicious Action"
++                                   style_urls = ['skins/standard/global.css'] %]
++
++[% IF abuser %]
++  
    
++    
    When you view an administrative form in [% terms.Bugzilla %], a token string
++    is randomly generated and stored both in the database and in the form you loaded,
++    to make sure that the requested changes are being made as a result of submitting
++    a form generated by [% terms.Bugzilla %]. Unfortunately, the token used right now
++    is incorrect, meaning that it looks like you didn't come from the right page.
++    The following token has been used :
    
++
++    
++      [% IF token_action != expected_action %]
++        
++          
++          
++        
++        
++          
++          
++        
++      [% END %]
++
++      [% IF abuser != user.identity %]
++        
++          
++          
++        
++        
++          
++          
++        
++      [% END %]
++    
    Action stored:[% token_action FILTER html %]
     
++            This action doesn't match the one expected ([% expected_action FILTER html %]).
++          
    Generated by:[% abuser FILTER html %]
     
++            This token has not been generated by you. It is possible that someone
++            tried to trick you!
++          
    
++
++    
    Please report this problem to [%+ Param("maintainer") FILTER html %].
    
++  
    
++[% ELSE %]
++  
    
++    It looks like you didn't come from the right page (you have no valid token for
++    the [% expected_action FILTER html %] action while processing the
++    '[% script_name FILTER html%]' script). The reason could be one of:
    
++    
      
++      
    • You clicked the "Back" button of your web browser after having successfully
++      submitted changes, which is generally not a good idea (but harmless).
      • 
++      
    • You entered the URL in the address bar of your web browser directly,
++      which should be safe.
      • 
++      
    • You clicked on a URL which redirected you here without your consent,
++      in which case this action is much more critical.
      • 
++    
    
++    Are you sure you want to commit these changes anyway? This may result in
++    unexpected and undesired results.
++  
    
++
++  
    
++    [% PROCESS "global/hidden-fields.html.tmpl"
++               exclude="^(Bugzilla_login|Bugzilla_password)$" %]
++    
++  
    
++  
    Or throw away these changes and go back to 
++    [%- script_name FILTER html %].
    
++[% END %]
++
++[% PROCESS global/footer.html.tmpl %]
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl	2005-10-19 15:21:05.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -111,6 +111,7 @@
+     
+     
+     
++    
+   
+ 
+ [% END %]
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/fieldvalues/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/fieldvalues/create.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/fieldvalues/create.html.tmpl	2005-06-14 20:55:00.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/fieldvalues/create.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -42,7 +42,7 @@
+   
+   
+   
+-
++  
+ 
+ 
+ 
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/fieldvalues/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/fieldvalues/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/fieldvalues/edit.html.tmpl	2005-09-01 15:00:54.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/fieldvalues/edit.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -48,8 +48,8 @@
+   
+   
+   
++  
+   
+-
+ 
+ 
+ 
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/flag-type/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/flag-type/confirm-delete.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/flag-type/confirm-delete.html.tmpl	2004-01-18 10:39:14.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/flag-type/confirm-delete.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -21,18 +21,16 @@
+ 
+ [% PROCESS global/variables.none.tmpl %]
+ 
+-[%# Filter off the name here to be used multiple times below %]
+-[% name = BLOCK %][% flag_type.name FILTER html %][% END %]
++[% title = BLOCK %]Confirm Deletion of Flag Type '[% flag_type.name FILTER html %]'[% END %]
+ 
+-[% PROCESS global/header.html.tmpl
+-  title = "Confirm Deletion of Flag Type '$name'"
+-%]
++[% PROCESS global/header.html.tmpl title = title %]
+ 
+ 
    
+-   There are [% flag_count %] flags of type [% name FILTER html %].
++   There are [% flag_count %] flags of type [% flag_type.name FILTER html %].
+    If you delete this type, those flags will also be deleted.  Note that
+    instead of deleting the type you can
+-   deactivate it,
++   deactivate it,
+    in which case the type and its flags will remain in the database
+    but will not appear in the [% terms.Bugzilla %] UI.
+ 
    
+@@ -45,8 +43,8 @@
+    
+    
+       
+-         
+-            Yes, delete
++         Yes, delete
+          
+       
+       
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/flag-type/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/flag-type/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/flag-type/edit.html.tmpl	2006-01-21 06:07:03.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/flag-type/edit.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -45,9 +45,9 @@
+ [% END %]
+ 
+ [% IF last_action == "copy" %]
+-  [% title = "Create Flag Type Based on $type.name" %]
++  [% title = BLOCK %]Create Flag Type Based on [% type.name FILTER html %][% END %]
+ [% ELSIF last_action == "edit" %]
+-  [% title = "Edit Flag Type $type.name" %]
++  [% title = BLOCK %]Edit Flag Type [% type.name FILTER html %][% END %]
+ [% END %]
+ 
+ [% PROCESS global/header.html.tmpl
+@@ -63,6 +63,7 @@
+ 
    
+   
+   
++  
+   
+   [% FOREACH category = type.inclusions %]
+     
+@@ -71,6 +72,10 @@
+     
+   [% END %]
+ 
++  [%# Add a hidden button at the top of the form so that the user pressing "return"
++    # really submit the form, as expected. %]
++  
++
+   
+     
+       
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/flag-type/list.html.tmpl bugzilla-2.22.1/template/en/default/admin/flag-type/list.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/flag-type/list.html.tmpl	2005-02-25 07:27:24.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/flag-type/list.html.tmpl	2006-10-14 15:05:56.000000000 -0700
+@@ -59,25 +59,6 @@
+   Create Flag Type For Attachments
+ 
    
+ 
+-
+-
+ [% PROCESS global/footer.html.tmpl %]
+ 
+ 
+@@ -97,9 +78,7 @@
+         
+         
+       
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/change.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/change.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/groups/change.html.tmpl	2004-07-12 22:12:31.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/groups/change.html.tmpl	2006-06-19 11:27:25.000000000 -0700
+@@ -28,7 +28,7 @@
+   #         1 - remove_explicit_members
+   #         2 - remove_explicit_members_regexp
+   #         3 - no conversion, just save the changes
+-  # changes: boolean int. Is 1 if changes occured.
++  # changes: boolean int. Is 1 if changes occurred.
+   # gid: integer. The ID of the group.
+   # name: the name of the product where removal is performed.
+   # regexp: the regexp according to which the update is performed.
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/create.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/groups/create.html.tmpl	2004-07-12 22:12:31.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/groups/create.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -49,6 +49,7 @@
+     Insert new group into all existing products.
    
+   
+   
++  
+ 
+ 
+ 
    Name is what is used with the UserInGroup() function in any
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/deleted.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/deleted.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/groups/deleted.html.tmpl	2005-10-17 14:58:52.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/groups/deleted.html.tmpl	2006-09-29 13:05:27.000000000 -0700
+@@ -23,9 +23,7 @@
+   #%]
+ 
+ [%# INTERFACE:
+-  # gid: number. The group ID.
+   # name: string. The name of the group.
+-  # cantdelete: boolean int. Is 1 if the group couldn't have been deleted.
+   #%]
+ 
+ 
+@@ -33,21 +31,7 @@
+   title = "Deleting group"
+ %]
+ 
+-[% IF cantdelete %]
+-  
    
+-    This group cannot be deleted because there are records
+-    in the database which refer to it.  All such records
+-    must be removed or altered to remove the reference to this
+-    group before the group can be deleted.
+-  
    
+-
+-  
    
+-    View
+-    the list of which records are affected.
+-  
    
+-[% ELSE %]
+-  
    The group [% name FILTER html %] has been deleted.
    
+-[% END %]
++
    The group [% name FILTER html %] has been deleted.
    
+ 
+ 
    Go back to the group list.
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/delete.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/groups/delete.html.tmpl	2005-11-30 00:19:28.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/groups/delete.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -47,7 +47,7 @@
+   
    
+     
+     
+-    
++    
+   
+ 
    Name:[% type.description FILTER html %]
+           Copy
+-          | Delete
++          | Delete
+         
    [% gid FILTER html %][% name FILTER html %][% description FILTER html %][% description FILTER html_light %]
    
+ 
+@@ -103,6 +103,7 @@
+   
    
+   
+   
++  
+ 
+ 
+ Go back to the group list.
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/groups/edit.html.tmpl	2005-02-18 08:38:42.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/groups/edit.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -41,9 +41,10 @@
+   #                   be aware of the group being edited and its members.
+   #%]
+ 
++[% title = BLOCK %]Change Group: [% name FILTER html %][% END %]
+ 
+ [% PROCESS global/header.html.tmpl
+-  title = "Change Group: $name"
++  title = title
+   style = "tr.odd_row {
+                background: #e9e9e9; 
+            }
+@@ -165,7 +166,7 @@
+             [% group.grpnam FILTER html %]
+           
+         
+-        [% group.grpdesc FILTER html %]
++        [% group.grpdesc FILTER html_light %]
+       
+     [% END %]
+   
+@@ -213,6 +214,7 @@
+ 
+   
+   
++  
+ 
+ 
+ Back to the group list.
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/list.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/list.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/groups/list.html.tmpl	2006-01-26 09:38:09.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/groups/list.html.tmpl	2006-10-14 13:30:56.000000000 -0700
+@@ -37,53 +37,104 @@
+   h2 = "This lets you edit the groups available to put users in."
+ %]
+ 
++[% edit_contentlink = "editgroups.cgi?action=changeform&group=%%id%%" %]
++[% del_contentlink = "editgroups.cgi?action=del&group=%%id%%" %]
+ 
+-
+-  
+-    
+-    
+-    
+-    
+-    
+-    
+-  
+-
+-  [% FOREACH group = groups %]
+-    
+-      
+-      
+-      
+-
+-      
+-
+-      
+-
+-      
+-    
+-  [% END %]
+-
+-  
+-    
+-    
+-  
+-
    NameDescriptionUser RegExpUse For [% terms.Bugs %]TypeAction
    
+-        
+-          [% group.name FILTER html %]
+-      [% group.description FILTER html %][% group.userregexp FILTER html %] 
+-        [% IF (group.isactive != 0) && (group.isbuggroup) %]
+-          X
+-        [% ELSE %]
+-           
+-        [% END %]
+-      
+-        [% (group.isbuggroup) ? "user" : "system" %]
+-      
+-        [% IF (group.isbuggroup) %]
+-          Delete
+-        [% ELSE %]
+-           
+-        [% END %]
+-      
    Add Group
    
++[% columns =
++  [{name               => 'name'
++    heading            => 'Name'
++    contentlink        => edit_contentlink
++   }
++   {name               => 'description'
++    heading            => 'Description'
++    allow_html_content => 1
++   }
++   {name               => 'userregexp'
++    heading            => 'User RegExp'
++   }
++   {name               => 'use_for'
++    heading            => "Use For $terms.Bugs"
++    align              => 'center'
++   }
++   {name               => 'type'
++    heading            => 'Type'
++    align              => 'center'
++   }
++   {name               => 'action'
++    heading            => 'Action'
++   }
++  ]
++%]
++
++[% overrides.use_for = [ {
++     match_value => "0"
++     match_field => 'use_for'
++     override_content => 1
++     content => " "
++   },
++   {
++     match_value => "1"
++     match_field => 'use_for'
++     override_content => 1
++     content => "X"
++   }]
++   overrides.userregexp = [ {
++     match_value => ""
++     match_field => 'userregexp'
++     override_content => 1
++     content => " "
++   }]
++   overrides.action = [ {
++     match_value => Param("chartgroup")
++     match_field => 'name'
++     override_content => 1
++     content => "(used as the 'chartgroup')"
++   },
++   {
++     match_value => Param("insidergroup")
++     match_field => 'name'
++     override_content => 1
++     content => "(used as the 'insidergroup')"
++   },
++   {
++     match_value => Param("timetrackinggroup")
++     match_field => 'name'
++     override_content => 1
++     content => "(used as the 'timetrackinggroup')"
++   },
++   {
++     match_value => "1"
++     match_field => 'isbuggroup'
++     override_content => 1
++     content => "Delete"
++     override_contentlink => 1
++     contentlink => del_contentlink
++   }]
++   overrides.type = [ {
++     match_value => "0"
++     match_field => 'isbuggroup'
++     override_content => 1
++     content => "system"
++   },
++   {
++     match_value => "1"
++     match_field => 'isbuggroup'
++     override_content => 1
++     content => "user"
++   }]
++%] 
++
++[% FOREACH group = groups %]
++  [% group.use_for = (group.isactive != 0) && (group.isbuggroup) %]
++[% END %]
++
++[% PROCESS admin/table.html.tmpl
++  columns = columns
++  data    = groups
++  overrides = overrides
++%]
++
++
    Add Group
    
+ 
+ 
    
+   Name is what is used with the UserInGroup() function in any
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/remove.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/remove.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/groups/remove.html.tmpl	2004-07-12 22:12:32.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/groups/remove.html.tmpl	2006-10-14 13:50:43.000000000 -0700
+@@ -33,14 +33,16 @@
+ 
+ 
+ [% IF remove_all %]
+-  [% title = "Removing All Explicit Group Memberships from '"
+-      _ name _ "'" %]
++  [% title = BLOCK %]
++    Removing All Explicit Group Memberships from '[% name FILTER html %]'
++  [% END %]
+ [% ELSE %]
+-  [% title = "Removing All Explicit Group Memberships Matching "
+-      _ "Group RegExp from '" _ name _ "'" %]
++  [% title = BLOCK %]
++    Removing All Explicit Group Memberships Matching Group RegExp from '[% name FILTER html %]'
++  [% END %]
+ [% END %]
+ 
+-[% PROCESS global/header.html.tmpl %]
++[% PROCESS global/header.html.tmpl title = title %]
+ 
+ [% IF remove_all %]
+   
    Removing explicit membership
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/keywords/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/keywords/confirm-delete.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/keywords/confirm-delete.html.tmpl	2004-01-18 10:39:15.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/keywords/confirm-delete.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -46,6 +46,7 @@
+   
+   
+   
++  
+   
+ 
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/keywords/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/keywords/create.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/keywords/create.html.tmpl	2004-01-18 10:39:15.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/keywords/create.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -47,6 +47,7 @@
+   
+   
+   
++  
+ 
+ 
+ 
    Edit other keywords.
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/keywords/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/keywords/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/keywords/edit.html.tmpl	2005-07-10 16:41:12.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/keywords/edit.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -62,6 +62,7 @@
+   
+   
+   
++  
+ 
+ 
+ 
    Edit other keywords.
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/keywords/list.html.tmpl bugzilla-2.22.1/template/en/default/admin/keywords/list.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/keywords/list.html.tmpl	2005-07-10 16:41:12.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/keywords/list.html.tmpl	2006-10-14 13:30:56.000000000 -0700
+@@ -43,7 +43,8 @@
+      },
+      { 
+        name => "description"
+-       heading => "Description" 
++       heading => "Description"
++       allow_html_content => 1
+      },
+      { 
+        name => "bug_count"
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/milestones/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/milestones/confirm-delete.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/milestones/confirm-delete.html.tmpl	2005-07-27 17:35:50.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/milestones/confirm-delete.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -91,6 +91,7 @@
+   
+   
+   
++  
+ 
+ 
+ [% PROCESS admin/milestones/footer.html.tmpl %]
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/milestones/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/milestones/create.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/milestones/create.html.tmpl	2005-08-23 05:39:17.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/milestones/create.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -48,7 +48,7 @@
+   
+   
+   
+-
++  
+ 
+ 
+ 
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/milestones/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/milestones/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/milestones/edit.html.tmpl	2005-08-23 05:39:17.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/milestones/edit.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -56,7 +56,7 @@
+   
+   
+   
+-
++  
+ 
+ 
+ 
    
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/params/bugchange.html.tmpl bugzilla-2.22.1/template/en/default/admin/params/bugchange.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/params/bugchange.html.tmpl	2005-10-14 10:54:56.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/params/bugchange.html.tmpl	2006-07-20 16:34:10.000000000 -0700
+@@ -20,8 +20,8 @@
+   #                 Frédéric Buclin 
+   #%]
+ [%
+-   title = "Bug Change Policies"
+-   desc = "Set up bug change policies"
++   title = "$terms.Bug Change Policies"
++   desc = "Set up $terms.bug change policies"
+ %]
+ 
+ [% param_descs = {
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/params/bugfields.html.tmpl bugzilla-2.22.1/template/en/default/admin/params/bugfields.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/params/bugfields.html.tmpl	2005-10-14 10:54:56.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/params/bugfields.html.tmpl	2006-07-20 16:34:10.000000000 -0700
+@@ -20,7 +20,7 @@
+   #                 Frédéric Buclin 
+   #%]
+ [%
+-   title = "Bug Fields"
++   title = "$terms.Bug Fields"
+    desc = "Choose fields you want to display"
+ %]
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/params/bugmove.html.tmpl bugzilla-2.22.1/template/en/default/admin/params/bugmove.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/params/bugmove.html.tmpl	2005-10-12 01:51:54.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/params/bugmove.html.tmpl	2006-07-20 16:34:10.000000000 -0700
+@@ -20,8 +20,8 @@
+   #                 Frédéric Buclin 
+   #%]
+ [%
+-   title = "Bug Moving"
+-   desc = "Set up parameters to move bugs to/from another installation"
++   title = "$terms.Bug Moving"
++   desc = "Set up parameters to move $terms.bugs to/from another installation"
+ %]
+ 
+ [% param_descs = {
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/params/editparams.html.tmpl bugzilla-2.22.1/template/en/default/admin/params/editparams.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/params/editparams.html.tmpl	2005-10-13 02:18:23.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/params/editparams.html.tmpl	2006-10-14 15:05:57.000000000 -0700
+@@ -99,6 +99,7 @@
+           [% PROCESS admin/params/common.html.tmpl panel = current_panel %]
+           
+           
++          
+           
+           
+         
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/confirm-delete.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/products/confirm-delete.html.tmpl	2005-11-18 16:48:08.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/products/confirm-delete.html.tmpl	2006-10-14 15:05:58.000000000 -0700
+@@ -56,7 +56,7 @@
+       [%# descriptions are intentionally not filtered to allow html content %]
+       
+         [% IF classification.description %]
+-          [% classification.description FILTER none %]
++          [% classification.description FILTER html_light %]
+         [% ELSE %]
+           missing
+         [% END %]
+@@ -78,7 +78,7 @@
+     [%# descriptions are intentionally not filtered to allow html content %]
+     
+       [% IF product.description %]
+-        [% product.description FILTER none %]
++        [% product.description FILTER html_light %]
+       [% ELSE %]
+         missing
+       [% END %]
+@@ -132,7 +132,7 @@
+               [%# descriptions are intentionally not filtered to allow html content %]
+               
+                 [% IF c.description %]
+-                  [% c.description FILTER none %]
++                  [% c.description FILTER html_light %]
+                 [% ELSE %]
+                   missing
+                 [% END %]
+@@ -263,6 +263,7 @@
+     
+     
+     
++    
+     
+   
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/create.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/products/create.html.tmpl	2005-10-26 10:14:33.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/products/create.html.tmpl	2006-10-14 15:05:58.000000000 -0700
+@@ -57,6 +57,7 @@
+   
+   
+   
++  
+   
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/edit-common.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/edit-common.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/products/edit-common.html.tmpl	2005-12-13 12:08:13.000000000 -0800
++++ bugzilla-2.22.1/template/en/default/admin/products/edit-common.html.tmpl	2006-10-14 13:30:56.000000000 -0700
+@@ -40,7 +40,7 @@
+ 
+   Description:
+   
++        [% product.description FILTER html %]
+   
+ 
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/products/edit.html.tmpl	2005-10-26 10:14:35.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/products/edit.html.tmpl	2006-10-14 15:05:58.000000000 -0700
+@@ -50,7 +50,7 @@
+           [% FOREACH component = product.components %]
+             [% component.name FILTER html %]: 
+             [% IF component.description %]
+-              [% component.description FILTER none %]
++              [% component.description FILTER html_light %]
+             [% ELSE %]
+               description missing
+             [% END %]
+@@ -132,6 +132,7 @@
+   
+   
++  
+   
+   
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/groupcontrol/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/groupcontrol/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/products/groupcontrol/edit.html.tmpl	2005-10-17 14:43:42.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/products/groupcontrol/edit.html.tmpl	2006-10-14 15:05:58.000000000 -0700
+@@ -31,6 +31,7 @@
+ 
    
+   
+   
++  
+   
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/updated.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/updated.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/products/updated.html.tmpl	2005-10-17 14:43:41.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/products/updated.html.tmpl	2006-10-14 13:30:56.000000000 -0700
+@@ -39,7 +39,7 @@
+   #
+   # confirmedbugs: list of bug ids, which were confirmed by votes
+   #
+-  # changer: string; user id of the user making the changes, used for mailing
++  # changer: string; login of the user making the changes, used for mailing
+   #          bug changes if necessary
+   #
+   #%]
+@@ -75,7 +75,7 @@
+   
    
+     Updated description to:
    
+   
    
+-  
    [% product.description FILTER html %]
    
++  
    [% product.description FILTER html_light %]
    
+   [% updated = 1 %]
+ [% END %]
+ 
+diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/settings/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/settings/edit.html.tmpl
+--- bugzilla-2.22/template/en/default/admin/settings/edit.html.tmpl	2005-06-20 14:14:43.000000000 -0700
++++ bugzilla-2.22.1/template/en/default/admin/settings/edit.html.tmpl	2006-10-14 15:05:58.000000000 -0700
+@@ -64,7 +64,7 @@
+               [% setting_descs.$name OR name FILTER html %]
+             
+             
+-              
+                 [% FOREACH x = settings.${name}.legal_values %]
+
    2.2.2.1.3. Permit attachments table to grow beyond 4GB

    By default, MySQL will limit the size of a table to 4GB. -- This limit is present even if the underlying filesystem -- has no such limit. To set a higher limit, follow these -- instructions. --

    Run the MySQL command-line client and -- enter: -- 

      mysql> ALTER TABLE attachments 
--            AVG_ROW_LENGTH=1000000, MAX_ROWS=20000;
--

    The above command will change the limit to 20GB. Mysql will have -- to make a temporary copy of your entire table to do this. Ideally, -- you should do this when your attachments table is still small. --

    This does not affect Big Files, attachments that are stored directly -- on disk instead of in the database. --

    2.2.2.1.4. Add a user to MySQL2.2.2.1.3. Add a user to MySQL

    You need to add a new MySQL user for Bugzilla to use. -@@ -2777,10 +2648,7 @@ - > Run the mysql command-line client. --

    If you are using MySQL 4.0 or newer, enter: -+> command-line client and enter: -

    2.2.2.1.4. Permit attachments table to grow beyond 4GB

    If you are using an older version of MySQL,the -- LOCK TABLES and -- CREATE TEMPORARY TABLES By default, MySQL will limit the size of a table to 4GB. -+ This limit is present even if the underlying filesystem -+ has no such limit. To set a higher limit, follow these -+ instructions. -+

    After you have completed the rest of the installation (or at least the -+ database setup parts), you should run the MySQL -- permissions will be unavailable and should be removed from -- the permissions list. In this case, the following command -- line can be used: -+ command-line client and enter the following, replacing $bugs_db -+ with your Bugzilla database name (bugs by default): - 

      
            mysql> GRANT SELECT, INSERT,
--           UPDATE, DELETE, INDEX, ALTER, CREATE, DROP,
--           REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY
--           ' use $db_pass';
--           $bugs_db
-+            mysql> FLUSH PRIVILEGES;
    ALTER TABLE attachments -+ AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; -+

    The above command will change the limit to 20GB. Mysql will have -+ to make a temporary copy of your entire table to do this. Ideally, -+ you should do this when your attachments table is still small. -+

    This does not affect Big Files, attachments that are stored directly -+ on disk instead of in the database. -+

    2.2.2.2.1. Add a User to PostgreSQL

    2.2.2.2.2. Configure PostgreSQL

    2.2.3. checksetup.pl

    Section 4.3.1. -+>. You can run -+ testserver.pl to check if your web server serves -+ Bugzilla files as expected. -

    2.3.1. Bug Graphs

    2.3.2. Dependency Charts

    loginmethod
    user_verify_class

    This parameter should be set to data/params and set loginmethod to -+> and set user_verify_class to - "DB"

    2.4. Multiple Bugzilla databases with a single installation

    The previous instructions refered to a standard installation, with -+ one unique Bugzilla database. However, you may want to host several -+ distinct installations, without having several copies of the code. This is -+ possible by using the PROJECT environment variable. When accessed, -+ Bugzilla checks for the existence of this variable, and if present, uses -+ its value to check for an alternative configuration file named -+ localconfig.<PROJECT> in the same location as -+ the default one (localconfig). It also checks for -+ customized templates in a directory named -+ <PROJECT> in the same location as the -+ default one (template/<langcode>). By default -+ this is template/en/default so PROJECT's templates -+ would be located at template/en/PROJECT.

    To set up an alternate installation, just export PROJECT=foo before -+ running checksetup.pl for the first time. It will -+ result in a file called localconfig.foo instead of -+ localconfig. Edit this file as described above, with -+ reference to a new database, and re-run checksetup.pl -+ to populate it. That's all.

    Now you have to configure the web server to pass this environment -+ variable when accessed via an alternate URL, such as virtual host for -+ instance. The following is an example of how you could do it in Apache, -+ other Webservers may differ. -+
    
<VirtualHost 212.85.153.228:80>
-+    ServerName foo.bar.baz
-+    SetEnv PROJECT foo
-+    Alias /bugzilla /var/www/bugzilla
-+</VirtualHost>
-+
    -+

    Don't forget to also export this variable before accessing Bugzilla -+ by other means, such as cron tasks for instance.

    2.4. OS-Specific Installation Notes2.5. OS-Specific Installation Notes

    Many aspects of the Bugzilla installation can be affected by the -@@ -4340,7 +4350,7 @@ - CLASS="section" - >2.4.1. Microsoft Windows2.5.1. Microsoft Windows

    Making Bugzilla work on Windows is more difficult than making it -@@ -4355,7 +4365,7 @@ - CLASS="section" - >2.4.1.1. Win32 Perl2.5.1.1. Win32 Perl

    Perl for Windows can be obtained from -@@ -4379,7 +4389,7 @@ - CLASS="section" - >2.4.1.2. Perl Modules on Win322.5.1.2. Perl Modules on Win32

    Bugzilla on Windows requires the same perl modules found in -@@ -4511,7 +4521,7 @@ - CLASS="section" - >2.4.1.3. Code changes required to run on Win322.5.1.3. Code changes required to run on Win32

    Bugzilla on Win32 is supported out of the box from version 2.20; this -@@ -4524,7 +4534,7 @@ - CLASS="section" - >2.4.1.4. Serving the web pages2.5.1.4. Serving the web pages

    As is the case on Unix based systems, any web server should -@@ -4585,7 +4595,7 @@ - CLASS="section" - >2.4.1.5. Sending Email2.5.1.5. Sending Email

    To enable Bugzilla to send email on Windows, the server running the -@@ -4599,7 +4609,7 @@ - CLASS="section" - >2.4.2. 2.5.2. Mac OS X2.4.2.1. Sendmail2.5.2.1. Sendmail

    In Mac OS X 10.3 and later, -@@ -4641,7 +4651,7 @@ - CLASS="section" - >2.4.2.2. Libraries & Perl Modules on Mac OS X2.5.2.2. Libraries & Perl Modules on Mac OS X

    Apple did not include the GD library with Mac OS X. Bugzilla -@@ -4841,7 +4851,7 @@ - CLASS="section" - >2.4.3. Linux-Mandrake 8.02.5.3. Linux-Mandrake 8.0

    Linux-Mandrake 8.0 includes every required and optional library -@@ -4941,15 +4951,15 @@ - CLASS="section" - >2.5. UNIX (non-root) Installation Notes2.6. UNIX (non-root) Installation Notes

    2.5.1. Introduction2.6.1. Introduction

    If you are running a *NIX OS as non-root, either due -@@ -4968,8 +4978,8 @@ - >

    2.5.2. MySQL2.6.2. MySQL

    You may have MySQL installed as root. If you're -@@ -5024,16 +5034,16 @@ - >

    2.5.2.1. Running MySQL as Non-Root2.6.2.1. Running MySQL as Non-Root

    2.5.2.1.1. The Custom Configuration Method2.6.2.1.1. The Custom Configuration Method

    Create a file .my.cnf in your -@@ -5076,8 +5086,8 @@ - >

    2.5.2.1.2. The Custom Built Method2.6.2.1.2. The Custom Built Method

    You can install MySQL as a not-root, if you really need to. -@@ -5099,8 +5109,8 @@ - >

    2.5.2.1.3. Starting the Server2.6.2.1.3. Starting the Server

    After your mysqld program is built and any .my.cnf file is -@@ -5227,8 +5237,8 @@ - >

    2.5.3. Perl2.6.3. Perl

    On the extremely rare chance that you don't have Perl on -@@ -5305,7 +5315,7 @@ - CLASS="section" - >2.5.4. Perl Modules2.6.4. Perl Modules

    Installing the Perl modules as a non-root user is probably the -@@ -5320,8 +5330,8 @@ - >

    2.5.4.1. The Independant Method2.6.4.1. The Independant Method

    The independant method requires that you install your own -@@ -5392,8 +5402,8 @@ - >

    2.5.4.2. The Mixed Method2.6.4.2. The Mixed Method

    First, you'll need to configure CPAN to -@@ -5597,8 +5607,8 @@ - >

    2.5.5. HTTP Server2.6.5. HTTP Server

    Ideally, this also needs to be installed as root and -@@ -5611,8 +5621,8 @@ - >

    2.5.5.1. Running Apache as Non-Root2.6.5.1. Running Apache as Non-Root

    You can run Apache as a non-root user, but the port will need -@@ -5693,14 +5703,14 @@ - >

    2.5.6. Bugzilla2.6.6. Bugzilla

    If you had to install Perl modules as a non-root user - (Section 2.5.4Section 2.6.4) or to non-standard - directories, you will need to change the scripts, setting the correct - location of the Perl modules:

    3.11.1. Creating Groups

    3.11.2. Assigning Users to Groups

    3.11.3. Assigning Group Controls to Products

    3.11.4. Common Applications of Group Controls

    3.11.4.1. General User Access With Security Group

    3.11.4.2. General User Access With A Security Product

    3.11.4.3. Product Isolation With Common Group

    Simply enter the following in /etc/my.conf/etc/my.cnf: - 
    
[myslqd]
-+>
[mysqld]
- # Prevent network access to MySQL.
- skip-networking
-

    5.5.1. Bugzilla Database Basics

    5.5.1.1. Bugzilla Database Tables

    - entire product...
    -
    --profiles:  Ahh, so you were wondering where your precious user information was
    --stored?  Here it is!  With the passwords in plain text for all to see! (but
    --sshh... don't tell your users!)
    -+profiles:  This table contains details for the current user accounts,
    -+including the crypted hashes of the passwords used, the associated
    -+login names, and the real name of the users.
    -
    - profiles_activity:  Need to know who did what when to who's profile?  This'll
    - tell you, it's a pretty complete history.
    -@@ -12358,7 +12368,7 @@ - > At first glance, negation seems redundant. Rather than - searching for -

    - one could search for -
    - However, the search -

    6.9.1. Autolinkification

    6.11.2.1. Creating Charts

    6.11.2.2. Creating New Data Sets

    6.13.4. Saving Your Changes

    Section 2.4.1Section 2.5.1. -

    Microsoft has some advice on this matter, as well: -

    You can view bugs marked for 2.22.1 release -+> You can view bugs marked for 2.22.2 release - here. -- This list includes bugs for the 2.22.1 release that have already -+ This list includes bugs for the 2.22.2 release that have already - been fixed and checked into CVS. Please consult the - Announce your patch and the associated URL - (http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) - for discussion in the newsgroup -- (netscape.public.mozilla.webtools). You'll get a -+ (mozilla.support.bugzilla). You'll get a - really good, fairly immediate reaction to the - implications of your patch, which will also give us - an idea how well-received the change would be. -@@ -17640,9 +17650,9 @@ - If you can't work it out, or if it's being uncommunicative, post - the errors in the - netscape.public.mozilla.webtoolsmozilla.support.bugzilla - newsgroup. -

    B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1

    Try executing perl -MCPAN -e 'install CPAN' -- and then continuing. --

    Certain older versions of the CPAN toolset were somewhat naive about -- how to upgrade Perl modules. When a couple of modules got rolled into the -- core Perl distribution for 5.6.1, CPAN thought that the best way to get -- those modules up to date was to haul down the Perl distribution itself and -- build it. Needless to say, this has caused headaches for just about -- everybody. Upgrading to a newer version of CPAN with the -- commandline above should fix things. --

    B.5. DBD::Sponge::db prepare failedB.4. DBD::Sponge::db prepare failed

    The following error message may appear due to a bug in DBD::mysql -@@ -17886,7 +17871,7 @@ - CLASS="section" - >B.6. cannot chdir(/var/spool/mqueue)B.5. cannot chdir(/var/spool/mqueue)

    If you are installing Bugzilla on SuSE Linux, or some other -@@ -17945,7 +17930,7 @@ - CLASS="section" - >B.7. Your vendor has not defined Fcntl macro O_NOINHERITB.6. Your vendor has not defined Fcntl macro O_NOINHERIT

    This is caused by a bug in the version of -@@ -18026,7 +18011,7 @@ - CLASS="section" - >B.8. Everybody is constantly being forced to reloginB.7. Everybody is constantly being forced to relogin

    The most-likely cause is that the Example B-1. Examples of urlbase/cookiepath pairs for sharing login cookies

    Example B-2. Examples of urlbase/cookiepath pairs to restrict the login cookie

    B.9. Some users are constantly being forced to reloginB.8. Some users are constantly being forced to relogin

    First, make sure cookies are enabled in the user's browser. -@@ -18193,7 +18178,7 @@ - CLASS="section" - >B.10. B.9. index.cgi doesn't show up unless specified in the URLB.11. checksetup.pl reports "Client does not support authentication protocol -+>B.10. checksetup.pl reports "Client does not support authentication protocol - requested by server..."

    -

    Template::Plugin::GD: -+


    -+       CPAN Download Page: http://search.cpan.org/dist/Template-GD/
    -+       PPM Download Link:  (Just install Template-Toolkit using the instructions below)
    -+
    -+       Documentation: http://www.template-toolkit.org/docs/aqua/Modules/index.html
    -+      

    -+

    MIME::Base64: -

    -

    XML::Parser: -+> XML::Twig: -


    -         CPAN Download Page: http://search.cpan.org/dist/XML-Parser/http://search.cpan.org/dist/XML-Twig/
    -+        PPM Download Link: http://ppm.activestate.com/PPMPackages/zips/8xx-builds-only/Windows/XML-Twig-3.22.zip
    --        PPM Download Link: Part of core distribution.
    -         Documentation: http://www.perldoc.com/perl5.6.1/lib/XML/Parser.htmlhttp://standards.ieee.org/resources/spasystem/twig/twig_stable.html
    -       

    -@@ -19058,7 +19067,7 @@ - >

    Version 1.1, March 2000

    0-9, high ascii

    /etc/my.cnf as below. -

    If you are using MySQL 4.0 or newer, enter: --

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release

    If you are using an older version of MySQL, enter: -- 

      [mysqld]
--  # Allow packets up to 1M
--  set-variable = max_allowed_packet=1M

    There is also a parameter in Bugzilla called 'maxattachmentsize' - (default = 1000 Kb) that controls the maximum allowable attachment - size. Attachments larger than

    2.2.2.1.2. Allow small words in full-text indexes

    http://www.mysql.com/doc/en/Fulltext_Fine-tuning.html. -

    The ft_min_word_len parameter is only supported in MySQL v4 or higher. --

    2.2.2.1.3. Permit attachments table to grow beyond 4GB

    By default, MySQL will limit the size of a table to 4GB. -- This limit is present even if the underlying filesystem -- has no such limit. To set a higher limit, follow these -- instructions. --

    Run the MySQL command-line client and -- enter: -- 

      mysql> ALTER TABLE attachments 
--            AVG_ROW_LENGTH=1000000, MAX_ROWS=20000;
--

    The above command will change the limit to 20GB. Mysql will have -- to make a temporary copy of your entire table to do this. Ideally, -- you should do this when your attachments table is still small. --

    This does not affect Big Files, attachments that are stored directly -- on disk instead of in the database. --

    2.2.2.1.4. Add a user to MySQL2.2.2.1.3. Add a user to MySQL

    You need to add a new MySQL user for Bugzilla to use. -@@ -567,10 +442,7 @@ - > Run the mysql command-line client. --

    If you are using MySQL 4.0 or newer, enter: -+> command-line client and enter: -

    2.2.2.1.4. Permit attachments table to grow beyond 4GB

    If you are using an older version of MySQL,the -- LOCK TABLES and -- CREATE TEMPORARY TABLES By default, MySQL will limit the size of a table to 4GB. -+ This limit is present even if the underlying filesystem -+ has no such limit. To set a higher limit, follow these -+ instructions. -+

    After you have completed the rest of the installation (or at least the -+ database setup parts), you should run the MySQL -- permissions will be unavailable and should be removed from -- the permissions list. In this case, the following command -- line can be used: -+ command-line client and enter the following, replacing $bugs_db -+ with your Bugzilla database name (bugs by default): - 

      
            mysql> GRANT SELECT, INSERT,
--           UPDATE, DELETE, INDEX, ALTER, CREATE, DROP,
--           REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY
--           ' use $db_pass';
--           $bugs_db
-+            mysql> FLUSH PRIVILEGES;
    ALTER TABLE attachments -+ AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; -+

    The above command will change the limit to 20GB. Mysql will have -+ to make a temporary copy of your entire table to do this. Ideally, -+ you should do this when your attachments table is still small. -+

    This does not affect Big Files, attachments that are stored directly -+ on disk instead of in the database. -+

    2.2.2.2.1. Add a User to PostgreSQL

    2.2.2.2.2. Configure PostgreSQL

    2.2.3. checksetup.pl

    Section 4.3.1. -+>. You can run -+ testserver.pl to check if your web server serves -+ Bugzilla files as expected. -

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release

    Also, thanks are due to the members of the - netscape.public.mozilla.webtools mozilla.support.bugzilla -- newsgroup. Without your discussions, insight, suggestions, and patches, -+ newsgroup (and its predecessor, netscape.public.mozilla.webtools). -+ Without your discussions, insight, suggestions, and patches, - this could never have happened. -

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release

    5.5.1. Bugzilla Database Basics

    5.5.1.1. Bugzilla Database Tables

    - entire product...
    -
    --profiles:  Ahh, so you were wondering where your precious user information was
    --stored?  Here it is!  With the passwords in plain text for all to see! (but
    --sshh... don't tell your users!)
    -+profiles:  This table contains details for the current user accounts,
    -+including the crypted hashes of the passwords used, the associated
    -+login names, and the real name of the users.
    -
    - profiles_activity:  Need to know who did what when to who's profile?  This'll
    - tell you, it's a pretty complete history.
    -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/dbmodify.html bugzilla-2.22.1/docs/html/dbmodify.html ---- bugzilla-2.22/docs/html/dbmodify.html 2006-04-22 20:12:11.000000000 -0700 -+++ bugzilla-2.22.1/docs/html/dbmodify.html 2006-10-15 02:19:41.000000000 -0700 -@@ -7,7 +7,7 @@ - NAME="GENERATOR" - CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseNext

    2.3.1. Bug Graphs

    2.3.2. Dependency Charts

    loginmethod
    user_verify_class

    This parameter should be set to data/params and set loginmethod to -+> and set user_verify_class to - "DB"NextOS-Specific Installation NotesMultiple Bugzilla databases with a single installation

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseSection 2.4.1Section 2.5.1. -

    Microsoft has some advice on this matter, as well: -

    You can view bugs marked for 2.22.1 release -+> You can view bugs marked for 2.22.2 release - here. -- This list includes bugs for the 2.22.1 release that have already -+ This list includes bugs for the 2.22.2 release that have already - been fixed and checked into CVS. Please consult the - Announce your patch and the associated URL - (http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) - for discussion in the newsgroup -- (netscape.public.mozilla.webtools). You'll get a -+ (mozilla.support.bugzilla). You'll get a - really good, fairly immediate reaction to the - implications of your patch, which will also give us - an idea how well-received the change would be. -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/flags.html bugzilla-2.22.1/docs/html/flags.html ---- bugzilla-2.22/docs/html/flags.html 2006-04-22 20:12:13.000000000 -0700 -+++ bugzilla-2.22.1/docs/html/flags.html 2006-10-15 02:19:42.000000000 -0700 -@@ -7,7 +7,7 @@ - NAME="GENERATOR" - CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Releasenetscape.public.mozilla.webtoolsmozilla.support.bugzilla - newsgroup. -

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release

    Version 1.1, March 2000

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release

    0-9, high ascii

    3.11.1. Creating Groups

    3.11.2. Assigning Users to Groups

    3.11.3. Assigning Group Controls to Products

    3.11.4. Common Applications of Group Controls

    6.9.1. Autolinkification

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release

    The Bugzilla Team

    2006-04-22

    2006-10-15

    Section 2.4Section 2.5 - before you start your installation to see if there are any special - instructions. -@@ -550,7 +550,7 @@ - > The preferred way of installing Perl modules is via CPAN on Unix, - or PPM on Windows (see Section 2.4.1.2Section 2.5.1.2). These - instructions assume you are using CPAN; if for some reason you need - to install the Perl modules manually, see -@@ -726,7 +726,7 @@ - HREF="installation.html#install-modules-template" - >Template -- (2.08) -+ (2.10) -

  9. XML::ParserXML::Twig - (any) for the XML interface -

    2.1.5.2. Template Toolkit (2.08)2.1.5.2. Template Toolkit (2.10)

    When you install Template Toolkit, you'll get asked various -@@ -993,22 +993,17 @@ - >

    2.1.5.7. XML::Parser (any)2.1.5.7. XML::Twig (any)

    The XML::Parser module is only required if you want to import -+>The XML::Twig module is only required if you want to import - XML bugs using the importxml.pl - script. This is required to use Bugzilla's "move bugs" feature; - you may also want to use it for migrating from another bug database. -- XML::Parser requires that the -- expat library is already installed on your machine. -

    10. 2.2.3. checksetup.pl
    2.3.1. Bug Graphs
    2.3.2. Dependency Charts
    2.4. Multiple Bugzilla databases with a single installation
    2.5. OS-Specific Installation Notes
    2.4.1. 2.5.1. Microsoft Windows
    2.4.2. 2.5.2.
    2.4.3. 2.5.3. Linux-Mandrake 8.0
    2.5. 2.6. UNIX (non-root) Installation Notes
    2.5.1. 2.6.1. Introduction
    2.5.2. 2.6.2. MySQL
    2.5.3. 2.6.3. Perl
    2.5.4. 2.6.4. Perl Modules
    2.5.5. 2.6.5. HTTP Server
    2.5.6. 2.6.6. Bugzilla
    -

    Template::Plugin::GD: -+


    -+       CPAN Download Page: http://search.cpan.org/dist/Template-GD/
    -+       PPM Download Link:  (Just install Template-Toolkit using the instructions below)
    -+
    -+       Documentation: http://www.template-toolkit.org/docs/aqua/Modules/index.html
    -+      

    -+

    MIME::Base64: -

    -

    XML::Parser: -+> XML::Twig: -


    -         CPAN Download Page: http://search.cpan.org/dist/XML-Parser/http://search.cpan.org/dist/XML-Twig/
    -+        PPM Download Link: http://ppm.activestate.com/PPMPackages/zips/8xx-builds-only/Windows/XML-Twig-3.22.zip
    --        PPM Download Link: Part of core distribution.
    -         Documentation: http://www.perldoc.com/perl5.6.1/lib/XML/Parser.htmlhttp://standards.ieee.org/resources/spasystem/twig/twig_stable.html
    -       

    -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/myaccount.html bugzilla-2.22.1/docs/html/myaccount.html ---- bugzilla-2.22/docs/html/myaccount.html 2006-04-22 20:12:12.000000000 -0700 -+++ bugzilla-2.22.1/docs/html/myaccount.html 2006-10-15 02:19:42.000000000 -0700 -@@ -7,7 +7,7 @@ - NAME="GENERATOR" - CONTENT="Modular DocBook HTML Stylesheet Version 1.7">    1.3. New Versions

    This is the 2.22 version of The Bugzilla Guide. It is so named -+> This is the 2.22.1 version of The Bugzilla Guide. It is so named - to match the current version of Bugzilla. -

    2.5. UNIX (non-root) Installation Notes2.6. UNIX (non-root) Installation Notes

    2.5.1. Introduction2.6.1. Introduction

    If you are running a *NIX OS as non-root, either due -@@ -103,8 +103,8 @@ - >

    2.5.2. MySQL2.6.2. MySQL

    You may have MySQL installed as root. If you're -@@ -159,16 +159,16 @@ - >

    2.5.2.1. Running MySQL as Non-Root2.6.2.1. Running MySQL as Non-Root

    2.5.2.1.1. The Custom Configuration Method2.6.2.1.1. The Custom Configuration Method

    Create a file .my.cnf in your -@@ -211,8 +211,8 @@ - >

    2.5.2.1.2. The Custom Built Method2.6.2.1.2. The Custom Built Method

    You can install MySQL as a not-root, if you really need to. -@@ -234,8 +234,8 @@ - >

    2.5.2.1.3. Starting the Server2.6.2.1.3. Starting the Server

    After your mysqld program is built and any .my.cnf file is -@@ -362,8 +362,8 @@ - >

    2.5.3. Perl2.6.3. Perl

    On the extremely rare chance that you don't have Perl on -@@ -440,7 +440,7 @@ - CLASS="section" - >2.5.4. Perl Modules2.6.4. Perl Modules

    Installing the Perl modules as a non-root user is probably the -@@ -455,8 +455,8 @@ - >

    2.5.4.1. The Independant Method2.6.4.1. The Independant Method

    The independant method requires that you install your own -@@ -527,8 +527,8 @@ - >

    2.5.4.2. The Mixed Method2.6.4.2. The Mixed Method

    First, you'll need to configure CPAN to -@@ -732,8 +732,8 @@ - >

    2.5.5. HTTP Server2.6.5. HTTP Server

    Ideally, this also needs to be installed as root and -@@ -746,8 +746,8 @@ - >

    2.5.5.1. Running Apache as Non-Root2.6.5.1. Running Apache as Non-Root

    You can run Apache as a non-root user, but the port will need -@@ -828,14 +828,14 @@ - >

    2.5.6. Bugzilla2.6.6. Bugzilla

    If you had to install Perl modules as a non-root user - (Section 2.5.4Section 2.6.4) or to non-standard - directories, you will need to change the scripts, setting the correct - location of the Perl modules:

    Prev2.4. OS-Specific Installation Notes2.5. OS-Specific Installation Notes

    Many aspects of the Bugzilla installation can be affected by the -@@ -99,7 +99,7 @@ - CLASS="section" - >2.4.1. Microsoft Windows2.5.1. Microsoft Windows

    Making Bugzilla work on Windows is more difficult than making it -@@ -114,7 +114,7 @@ - CLASS="section" - >2.4.1.1. Win32 Perl2.5.1.1. Win32 Perl

    Perl for Windows can be obtained from -@@ -138,7 +138,7 @@ - CLASS="section" - >2.4.1.2. Perl Modules on Win322.5.1.2. Perl Modules on Win32

    Bugzilla on Windows requires the same perl modules found in -@@ -270,7 +270,7 @@ - CLASS="section" - >2.4.1.3. Code changes required to run on Win322.5.1.3. Code changes required to run on Win32

    Bugzilla on Win32 is supported out of the box from version 2.20; this -@@ -283,7 +283,7 @@ - CLASS="section" - >2.4.1.4. Serving the web pages2.5.1.4. Serving the web pages

    As is the case on Unix based systems, any web server should -@@ -344,7 +344,7 @@ - CLASS="section" - >2.4.1.5. Sending Email2.5.1.5. Sending Email

    To enable Bugzilla to send email on Windows, the server running the -@@ -358,7 +358,7 @@ - CLASS="section" - >2.4.2. 2.5.2. Mac OS X2.4.2.1. Sendmail2.5.2.1. Sendmail

    In Mac OS X 10.3 and later, -@@ -400,7 +400,7 @@ - CLASS="section" - >2.4.2.2. Libraries & Perl Modules on Mac OS X2.5.2.2. Libraries & Perl Modules on Mac OS X

    Apple did not include the GD library with Mac OS X. Bugzilla -@@ -600,7 +600,7 @@ - CLASS="section" - >2.4.3. Linux-Mandrake 8.02.5.3. Linux-Mandrake 8.0

    Linux-Mandrake 8.0 includes every required and optional library -@@ -710,7 +710,7 @@ - ALIGN="left" - VALIGN="top" - >PrevOptional Additional ConfigurationMultiple Bugzilla databases with a single installation

    B.6. cannot chdir(/var/spool/mqueue)B.5. cannot chdir(/var/spool/mqueue)

    If you are installing Bugzilla on SuSE Linux, or some other -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/patches.html bugzilla-2.22.1/docs/html/patches.html ---- bugzilla-2.22/docs/html/patches.html 2006-04-22 20:12:14.000000000 -0700 -+++ bugzilla-2.22.1/docs/html/patches.html 2006-10-15 02:19:43.000000000 -0700 -@@ -7,7 +7,7 @@ - NAME="GENERATOR" - CONTENT="Modular DocBook HTML Stylesheet Version 1.7">

     At first glance, negation seems redundant. Rather than - searching for -
    - one could search for -
    - However, the search -

    6.11.2.1. Creating Charts

    6.11.2.2. Creating New Data Sets

    Simply enter the following in /etc/my.conf/etc/my.cnf: -

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    
[myslqd]
-+>
[mysqld]
- # Prevent network access to MySQL.
- skip-networking
-
    --Bundle::Bugzilla makes me upgrade to Perl 5.6.1
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    The Bugzilla Guide - 2.22 -- Release
    PrevAppendix B. TroubleshootingNext

    B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1

    Try executing perl -MCPAN -e 'install CPAN' -- and then continuing. --

    Certain older versions of the CPAN toolset were somewhat naive about -- how to upgrade Perl modules. When a couple of modules got rolled into the -- core Perl distribution for 5.6.1, CPAN thought that the best way to get -- those modules up to date was to haul down the Perl distribution itself and -- build it. Needless to say, this has caused headaches for just about -- everybody. Upgrading to a newer version of CPAN with the -- commandline above should fix things. --

    PrevHomeNext
    I installed a Perl module, but -- checksetup.pl claims it's not installed!UpDBD::Sponge::db prepare failed
    -\ No newline at end of file -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/trbl-dbdsponge.html bugzilla-2.22.1/docs/html/trbl-dbdsponge.html ---- bugzilla-2.22/docs/html/trbl-dbdsponge.html 2006-04-22 20:12:13.000000000 -0700 -+++ bugzilla-2.22.1/docs/html/trbl-dbdsponge.html 2006-10-15 02:19:43.000000000 -0700 -@@ -7,15 +7,16 @@ - NAME="GENERATOR" - CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleasePrevB.5. DBD::Sponge::db prepare failedB.4. DBD::Sponge::db prepare failed

    The following error message may appear due to a bug in DBD::mysql -@@ -170,7 +171,7 @@ - ALIGN="left" - VALIGN="top" - >PrevBundle::Bugzilla makes me upgrade to Perl 5.6.1I installed a Perl module, but -+ checksetup.pl claims it's not installed!PrevThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseB.11. checksetup.pl reports "Client does not support authentication protocol -+>B.10. checksetup.pl reports "Client does not support authentication protocol - requested by server..."

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseNextNextBundle::Bugzilla makes me upgrade to Perl 5.6.1DBD::Sponge::db prepare failed

    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseNextB.8. Everybody is constantly being forced to reloginB.7. Everybody is constantly being forced to relogin

    The most-likely cause is that the Example B-1. Examples of urlbase/cookiepath pairs for sharing login cookies

    Example B-2. Examples of urlbase/cookiepath pairs to restrict the login cookie

    Next -+Some users are constantly being forced to relogin
    The Bugzilla Guide - 2.22.1 -+ Release
    PrevAppendix B. TroubleshootingNext

    B.8. Some users are constantly being forced to relogin

    First, make sure cookies are enabled in the user's browser. -+

    If that doesn't fix the problem, it may be that the user's ISP -+ implements a rotating proxy server. This causes the user's effective IP -+ address (the address which the Bugzilla server perceives him coming from) -+ to change periodically. Since Bugzilla cookies are tied to a specific IP -+ address, each time the effective address changes, the user will have to -+ log in again. -+

    If you are using 2.18 (or later), there is a -+ parameter called "loginnetmask", which you can use to set -+ the number of bits of the user's IP address to require to be matched when -+ authenticating the cookies. If you set this to something less than 32, -+ then the user will be given a checkbox for "Restrict this login to -+ my IP address" on the login screen, which defaults to checked. If -+ they leave the box checked, Bugzilla will behave the same as it did -+ before, requiring an exact match on their IP address to remain logged in. -+ If they uncheck the box, then only the left side of their IP address (up -+ to the number of bits you specified in the parameter) has to match to -+ remain logged in. -+

    PrevHomeNext
    Everybody is constantly being forced to reloginUpindex.cgi doesn't show up unless specified in the URL
    -\ No newline at end of file -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/trbl-testserver.html bugzilla-2.22.1/docs/html/trbl-testserver.html ---- bugzilla-2.22/docs/html/trbl-testserver.html 2006-04-22 20:12:13.000000000 -0700 -+++ bugzilla-2.22.1/docs/html/trbl-testserver.html 2006-10-15 02:19:43.000000000 -0700 -@@ -7,7 +7,7 @@ - NAME="GENERATOR" - CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseB.7. Your vendor has not defined Fcntl macro O_NOINHERITB.6. Your vendor has not defined Fcntl macro O_NOINHERIT

    This is caused by a bug in the version of -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/troubleshooting.html bugzilla-2.22.1/docs/html/troubleshooting.html ---- bugzilla-2.22/docs/html/troubleshooting.html 2006-04-22 20:12:14.000000000 -0700 -+++ bugzilla-2.22.1/docs/html/troubleshooting.html 2006-10-15 02:19:43.000000000 -0700 -@@ -7,7 +7,7 @@ - NAME="GENERATOR" - CONTENT="Modular DocBook HTML Stylesheet Version 1.7">The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release

    B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1
    B.5. DBD::Sponge::db prepare failed
    B.6. B.5. cannot chdir(/var/spool/mqueue)
    B.7. B.6. Your vendor has not defined Fcntl macro O_NOINHERIT
    B.8. B.7. Everybody is constantly being forced to relogin
    B.9. B.8. Some users are constantly being forced to relogin
    B.10. B.9. doesn't show up unless specified in the URL
    B.11. B.10. checksetup.pl reports "Client does not support authentication protocol - requested by server..."The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release
    6.9.1. Autolinkification
    6.13.4. Saving Your Changes
    The Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - ReleaseThe Bugzilla Guide - 2.22 -+>The Bugzilla Guide - 2.22.1 - Release

    6.13.4. Saving Your Changes

    --Some users are constantly being forced to relogin

    The Bugzilla Guide - 2.22 -- Release
    PrevAppendix B. TroubleshootingNext

    B.9. Some users are constantly being forced to relogin

    First, make sure cookies are enabled in the user's browser. --

    If that doesn't fix the problem, it may be that the user's ISP -- implements a rotating proxy server. This causes the user's effective IP -- address (the address which the Bugzilla server perceives him coming from) -- to change periodically. Since Bugzilla cookies are tied to a specific IP -- address, each time the effective address changes, the user will have to -- log in again. --

    If you are using 2.18 (or later), there is a -- parameter called "loginnetmask", which you can use to set -- the number of bits of the user's IP address to require to be matched when -- authenticating the cookies. If you set this to something less than 32, -- then the user will be given a checkbox for "Restrict this login to -- my IP address" on the login screen, which defaults to checked. If -- they leave the box checked, Bugzilla will behave the same as it did -- before, requiring an exact match on their IP address to remain logged in. -- If they uncheck the box, then only the left side of their IP address (up -- to the number of bits you specified in the parameter) has to match to -- remain logged in. --

    PrevHomeNext
    Everybody is constantly being forced to reloginUpindex.cgi doesn't show up unless specified in the URL
    -\ No newline at end of file -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/html/x757.html bugzilla-2.22.1/docs/html/x757.html ---- bugzilla-2.22/docs/html/x757.html 1969-12-31 16:00:00.000000000 -0800 -+++ bugzilla-2.22.1/docs/html/x757.html 2006-10-15 02:19:39.000000000 -0700 -@@ -0,0 +1,227 @@ -+ -+Multiple Bugzilla databases with a single installation
    The Bugzilla Guide - 2.22.1 -+ Release
    PrevChapter 2. Installing BugzillaNext

    2.4. Multiple Bugzilla databases with a single installation

    The previous instructions refered to a standard installation, with -+ one unique Bugzilla database. However, you may want to host several -+ distinct installations, without having several copies of the code. This is -+ possible by using the PROJECT environment variable. When accessed, -+ Bugzilla checks for the existence of this variable, and if present, uses -+ its value to check for an alternative configuration file named -+ localconfig.<PROJECT> in the same location as -+ the default one (localconfig). It also checks for -+ customized templates in a directory named -+ <PROJECT> in the same location as the -+ default one (template/<langcode>). By default -+ this is template/en/default so PROJECT's templates -+ would be located at template/en/PROJECT.

    To set up an alternate installation, just export PROJECT=foo before -+ running checksetup.pl for the first time. It will -+ result in a file called localconfig.foo instead of -+ localconfig. Edit this file as described above, with -+ reference to a new database, and re-run checksetup.pl -+ to populate it. That's all.

    Now you have to configure the web server to pass this environment -+ variable when accessed via an alternate URL, such as virtual host for -+ instance. The following is an example of how you could do it in Apache, -+ other Webservers may differ. -+
    
<VirtualHost 212.85.153.228:80>
-+    ServerName foo.bar.baz
-+    SetEnv PROJECT foo
-+    Alias /bugzilla /var/www/bugzilla
-+</VirtualHost>
-+
    -+

    Don't forget to also export this variable before accessing Bugzilla -+ by other means, such as cron tasks for instance.

    PrevHomeNext
    Optional Additional ConfigurationUpOS-Specific Installation Notes
    -\ No newline at end of file -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/rel_notes.txt bugzilla-2.22.1/docs/rel_notes.txt ---- bugzilla-2.22/docs/rel_notes.txt 2006-04-21 14:44:07.000000000 -0700 -+++ bugzilla-2.22.1/docs/rel_notes.txt 2006-10-14 14:28:42.000000000 -0700 -@@ -6,6 +6,7 @@ - ***************** - - - Introduction -+- Important Updates In This Point Release - - Minimum Requirements - * Perl - * For MySQL Users -@@ -61,6 +62,46 @@ - http://www.bugzilla.org/docs/contributor.html - - -+Important Updates In This Point Release -+*************************************** -+ -+This section describes bugs fixed in releases after the original 2.22 -+release. -+ -+Version 2.22.1 -+-------------- -+ -++ When sending mail, Bugzilla could throw the error "Insecure dependency in -+ exec while running with -T switch" (bug 340538). -+ -++ Using the public webdot server (for dependency graphs) should work -+ again (bug 351243). -+ -++ The "I'm added to or removed from this capacity" email preference -+ wasn't working for new bugs (bug 349852). -+ -++ The original release of 2.22 incorrectly said it required Template-Toolkit -+ version 2.08. In actual fact, Bugzilla requires version 2.10 (bug 351478). -+ -++ votes.cgi would crash if your bug was the one confirming a bug (bug 351300). -+ -++ checksetup.pl now correctly reports if your Template::Plugin::GD module -+ is missing. If missing, it could lead to charts and graphs not working -+ (bug 345389). -+ -++ The "Keyword" field on buglist.cgi was not sorted alphabetically, so -+ it wasn't very useful for sorting (bug 342828). -+ -++ Sendmail will no longer complain about there being a newline in the -+ email address, when Bugzilla sends mail (bug 331365). -+ -++ contrib/bzdbcopy.pl would try to insert an invalid value into the -+ database, unnecessarily (bug 335572). -+ -++ Deleting a bug now correctly deletes its attachments from the database -+ (bug 339667). -+ -+ - Minimum Requirements - ******************** - -@@ -102,7 +143,7 @@ - DBI v1.38 - File::Spec v0.84 - File::Temp (any) -- Template Toolkit v2.08 -+ Template Toolkit v2.10 (changed from 2.20) - Text::Wrap v2001.0131 - Mail::Mailer v1.67 (changed from 2.20) - MIME::Base64 v3.01 (new in 2.22) -@@ -234,7 +275,7 @@ - -------------------------------------- - If you turn on the "strict_isolation" parameter in Bugzilla, you - will *not* be able to add any user to the CC field (or set them --as an Asignee or QA Contact) unless that user could normally see -+as an Assignee or QA Contact) unless that user could normally see - the bug. That is, you will no longer be able to "accidentally" - (or intentionally) give somebody access to a bug that they - otherwise couldn't see. -@@ -533,6 +574,24 @@ - every single user, even those with saved sessions. (It invalidates - every login cookie Bugzilla has ever given out.) - -+Version 2.22.1 -+-------------- -+ -+The Bugzilla team fixed two Information Leaks and three Cross-Site -+Scripting vulnerabilities that existed in versions of Bugzilla -+prior to 2.22.1. We strongly recommend that you update any 2.22 -+installation to 2.22.1, to be protected from these vulnerabilities. -+ -+In addition, we have made an enhancement to security in this version -+of Bugzilla. In previous versions, it was possible for malicious -+users to exploit administrators in certain ways. Although this has -+never happened (to our knowledge) in the real world, we thought it -+was important that we protect administrators from this sort of attack. -+ -+You can see details on all the vulnerabilities and enhancements at: -+ -+http://www.bugzilla.org/security/2.18.5/ -+ - - Release Notes For Previous Versions - ************************************ -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/txt/Bugzilla-Guide.txt bugzilla-2.22.1/docs/txt/Bugzilla-Guide.txt ---- bugzilla-2.22/docs/txt/Bugzilla-Guide.txt 2006-04-22 20:12:32.000000000 -0700 -+++ bugzilla-2.22.1/docs/txt/Bugzilla-Guide.txt 2006-10-15 02:20:04.000000000 -0700 -@@ -1,9 +1,9 @@ - --The Bugzilla Guide - 2.22 Release -+The Bugzilla Guide - 2.22.1 Release - - The Bugzilla Team - -- 2006-04-22 -+ 2006-10-15 - - This is the documentation for Bugzilla, a bug-tracking system from - mozilla.org. Bugzilla is an enterprise-class piece of software that tracks -@@ -27,8 +27,9 @@ - 2.1. Installation - 2.2. Configuration - 2.3. Optional Additional Configuration -- 2.4. OS-Specific Installation Notes -- 2.5. UNIX (non-root) Installation Notes -+ 2.4. Multiple Bugzilla databases with a single installation -+ 2.5. OS-Specific Installation Notes -+ 2.6. UNIX (non-root) Installation Notes - - 3. Administering Bugzilla - -@@ -85,14 +86,13 @@ - B.3. I installed a Perl module, but checksetup.pl claims it's not - installed! - -- B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1 -- B.5. DBD::Sponge::db prepare failed -- B.6. cannot chdir(/var/spool/mqueue) -- B.7. Your vendor has not defined Fcntl macro O_NOINHERIT -- B.8. Everybody is constantly being forced to relogin -- B.9. Some users are constantly being forced to relogin -- B.10. index.cgi doesn't show up unless specified in the URL -- B.11. checksetup.pl reports "Client does not support authentication -+ B.4. DBD::Sponge::db prepare failed -+ B.5. cannot chdir(/var/spool/mqueue) -+ B.6. Your vendor has not defined Fcntl macro O_NOINHERIT -+ B.7. Everybody is constantly being forced to relogin -+ B.8. Some users are constantly being forced to relogin -+ B.9. index.cgi doesn't show up unless specified in the URL -+ B.10. checksetup.pl reports "Client does not support authentication - protocol requested by server..." - - C. Contrib -@@ -175,8 +175,8 @@ - - 1.3. New Versions - -- This is the 2.22 version of The Bugzilla Guide. It is so named to match the -- current version of Bugzilla. -+ This is the 2.22.1 version of The Bugzilla Guide. It is so named to match -+ the current version of Bugzilla. - - The latest version of this guide can always be found at - http://www.bugzilla.org, or checked out via CVS by following the Mozilla CVS -@@ -236,9 +236,10 @@ - Zach Lipton, Gervase Markham, Andrew Pearson, Joe Robins, Spencer Smith, Ron - Teitelbaum, Shane Travis, Martin Wulffeld. - -- Also, thanks are due to the members of the netscape.public.mozilla.webtools -- newsgroup. Without your discussions, insight, suggestions, and patches, this -- could never have happened. -+ Also, thanks are due to the members of the mozilla.support.bugzilla -+ newsgroup (and its predecessor, netscape.public.mozilla.webtools). Without -+ your discussions, insight, suggestions, and patches, this could never have -+ happened. - _________________________________________________________________ - - 1.5. Document Conventions -@@ -283,7 +284,7 @@ - URL to access it over the web. - - The Bugzilla server software is usually installed on Linux or Solaris. If -- you are installing on another OS, check Section 2.4 before you start your -+ you are installing on another OS, check Section 2.5 before you start your - installation to see if there are any special instructions. - - As an alternative to following these instructions, you may wish to try Arne -@@ -415,7 +416,7 @@ - 5.6.1 or above. - - The preferred way of installing Perl modules is via CPAN on Unix, or PPM on -- Windows (see Section 2.4.1.2). These instructions assume you are using CPAN; -+ Windows (see Section 2.5.1.2). These instructions assume you are using CPAN; - if for some reason you need to install the Perl modules manually, see - Appendix D. - bash# perl -MCPAN -e 'install ""' -@@ -453,7 +454,7 @@ - 7. DBD::Pg (1.31) if using PostgreSQL - 8. File::Spec (0.84) - 9. File::Temp (any) -- 10. Template (2.08) -+ 10. Template (2.10) - 11. Text::Wrap (2001.0131) - 12. Mail::Mailer (1.67) - 13. MIME::Base64 (3.01) -@@ -466,7 +467,7 @@ - 2. Chart::Base (1.0) for bug charting - 3. GD::Graph (any) for bug charting - 4. GD::Text::Align (any) for bug charting -- 5. XML::Parser (any) for the XML interface -+ 5. XML::Twig (any) for the XML interface - 6. PatchReader (0.9.4) for pretty HTML view of patches - 7. Image::Magick (any) for converting BMP image attachments to PNG - _________________________________________________________________ -@@ -486,7 +487,7 @@ - which MySQL creates upon installation. - _________________________________________________________________ - --2.1.5.2. Template Toolkit (2.08) -+2.1.5.2. Template Toolkit (2.10) - - When you install Template Toolkit, you'll get asked various questions about - features to enable. The defaults are fine, except that it is recommended you -@@ -525,13 +526,12 @@ - The GD::Text::Align module is only required if you want graphical reports. - _________________________________________________________________ - --2.1.5.7. XML::Parser (any) -+2.1.5.7. XML::Twig (any) - -- The XML::Parser module is only required if you want to import XML bugs using -+ The XML::Twig module is only required if you want to import XML bugs using - the importxml.pl script. This is required to use Bugzilla's "move bugs" - feature; you may also want to use it for migrating from another bug -- database. XML::Parser requires that the expat library is already installed -- on your machine. -+ database. - _________________________________________________________________ - - 2.1.5.8. PatchReader (0.9.4) -@@ -633,17 +633,10 @@ - By default, MySQL will only accept packets up to 64Kb in size. If you want - to have attachments larger than this, you will need to modify your - /etc/my.cnf as below. -- -- If you are using MySQL 4.0 or newer, enter: - [mysqld] - # Allow packets up to 1M - max_allowed_packet=1M - -- If you are using an older version of MySQL, enter: -- [mysqld] -- # Allow packets up to 1M -- set-variable = max_allowed_packet=1M -- - There is also a parameter in Bugzilla called 'maxattachmentsize' (default = - 1000 Kb) that controls the maximum allowable attachment size. Attachments - larger than either the 'max_allowed_packet' or 'maxattachmentsize' value -@@ -669,29 +662,9 @@ - - Rebuilding the indexes can be done based on documentation found at - http://www.mysql.com/doc/en/Fulltext_Fine-tuning.html. -- -- Note The ft_min_word_len parameter is only supported in MySQL v4 or higher. -- _________________________________________________________________ -- --2.2.2.1.3. Permit attachments table to grow beyond 4GB -- -- By default, MySQL will limit the size of a table to 4GB. This limit is -- present even if the underlying filesystem has no such limit. To set a higher -- limit, follow these instructions. -- -- Run the MySQL command-line client and enter: -- mysql> ALTER TABLE attachments -- AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; -- -- The above command will change the limit to 20GB. Mysql will have to make a -- temporary copy of your entire table to do this. Ideally, you should do this -- when your attachments table is still small. -- -- Note This does not affect Big Files, attachments that are stored directly on -- disk instead of in the database. - _________________________________________________________________ - --2.2.2.1.4. Add a user to MySQL -+2.2.2.1.3. Add a user to MySQL - - You need to add a new MySQL user for Bugzilla to use. (It's not safe to have - Bugzilla use the MySQL root account.) The following instructions assume the -@@ -704,23 +677,34 @@ - the account to connect from "localhost". Modify it to reflect your setup if - you will be connecting from another machine or as a different user. - -- Run the mysql command-line client. -- -- If you are using MySQL 4.0 or newer, enter: -+ Run the mysql command-line client and enter: - mysql> GRANT SELECT, INSERT, - UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, - CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* - TO bugs@localhost IDENTIFIED BY '$db_pass'; - mysql> FLUSH PRIVILEGES; -+ _________________________________________________________________ - -- If you are using an older version of MySQL,the LOCK TABLES and CREATE -- TEMPORARY TABLES permissions will be unavailable and should be removed from -- the permissions list. In this case, the following command line can be used: -- mysql> GRANT SELECT, INSERT, -- UPDATE, DELETE, INDEX, ALTER, CREATE, DROP, -- REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY -- '$db_pass'; -- mysql> FLUSH PRIVILEGES; -+2.2.2.1.4. Permit attachments table to grow beyond 4GB -+ -+ By default, MySQL will limit the size of a table to 4GB. This limit is -+ present even if the underlying filesystem has no such limit. To set a higher -+ limit, follow these instructions. -+ -+ After you have completed the rest of the installation (or at least the -+ database setup parts), you should run the MySQL command-line client and -+ enter the following, replacing $bugs_db with your Bugzilla database name -+ (bugs by default): -+ mysql> use $bugs_db -+ mysql> ALTER TABLE attachments -+ AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; -+ -+ The above command will change the limit to 20GB. Mysql will have to make a -+ temporary copy of your entire table to do this. Ideally, you should do this -+ when your attachments table is still small. -+ -+ Note This does not affect Big Files, attachments that are stored directly on -+ disk instead of in the database. - _________________________________________________________________ - - 2.2.2.2. PostgreSQL -@@ -802,7 +786,8 @@ - section. (If it makes a difference in your choice, the Bugzilla Team - recommends Apache.) Regardless of which webserver you are using, however, - ensure that sensitive information is not remotely available by properly -- applying the access controls in Section 4.3.1. -+ applying the access controls in Section 4.3.1. You can run testserver.pl to -+ check if your web server serves Bugzilla files as expected. - _________________________________________________________________ - - 2.2.4.1. Apache httpd -@@ -1054,13 +1039,13 @@ - - Parameters required to use LDAP Authentication: - -- loginmethod -+ user_verify_class - This parameter should be set to "LDAP" only if you will be using an - LDAP directory for authentication. If you set this param to "LDAP" - but fail to set up the other parameters listed below you will not be - able to log back in to Bugzilla one you log out. If this happens to -- you, you will need to manually edit data/params and set loginmethod -- to "DB". -+ you, you will need to manually edit data/params and set -+ user_verify_class to "DB". - - LDAPserver - This parameter should be set to the name (and optionally the port) of -@@ -1116,7 +1101,41 @@ - AddType application/rdf+xml .rdf - _________________________________________________________________ - --2.4. OS-Specific Installation Notes -+2.4. Multiple Bugzilla databases with a single installation -+ -+ The previous instructions refered to a standard installation, with one -+ unique Bugzilla database. However, you may want to host several distinct -+ installations, without having several copies of the code. This is possible -+ by using the PROJECT environment variable. When accessed, Bugzilla checks -+ for the existence of this variable, and if present, uses its value to check -+ for an alternative configuration file named localconfig. in the -+ same location as the default one (localconfig). It also checks for -+ customized templates in a directory named in the same location as -+ the default one (template/). By default this is -+ template/en/default so PROJECT's templates would be located at -+ template/en/PROJECT. -+ -+ To set up an alternate installation, just export PROJECT=foo before running -+ checksetup.pl for the first time. It will result in a file called -+ localconfig.foo instead of localconfig. Edit this file as described above, -+ with reference to a new database, and re-run checksetup.pl to populate it. -+ That's all. -+ -+ Now you have to configure the web server to pass this environment variable -+ when accessed via an alternate URL, such as virtual host for instance. The -+ following is an example of how you could do it in Apache, other Webservers -+ may differ. -+ -+ ServerName foo.bar.baz -+ SetEnv PROJECT foo -+ Alias /bugzilla /var/www/bugzilla -+ -+ -+ Don't forget to also export this variable before accessing Bugzilla by other -+ means, such as cron tasks for instance. -+ _________________________________________________________________ -+ -+2.5. OS-Specific Installation Notes - - Many aspects of the Bugzilla installation can be affected by the operating - system you choose to install it on. Sometimes it can be made easier and -@@ -1128,7 +1147,7 @@ - please file a bug in Bugzilla Documentation. - _________________________________________________________________ - --2.4.1. Microsoft Windows -+2.5.1. Microsoft Windows - - Making Bugzilla work on Windows is more difficult than making it work on - Unix. For that reason, we still recommend doing so on a Unix based system -@@ -1136,7 +1155,7 @@ - Windows, you will need to make the following adjustments. - _________________________________________________________________ - --2.4.1.1. Win32 Perl -+2.5.1.1. Win32 Perl - - Perl for Windows can be obtained from ActiveState. You should be able to - find a compiled binary at -@@ -1144,7 +1163,7 @@ - instructions assume that you are using version 5.8.1 of ActiveState. - _________________________________________________________________ - --2.4.1.2. Perl Modules on Win32 -+2.5.1.2. Perl Modules on Win32 - - Bugzilla on Windows requires the same perl modules found in Section 2.1.5. - The main difference is that windows uses PPM instead of CPAN. -@@ -1167,13 +1186,13 @@ - documentation. - _________________________________________________________________ - --2.4.1.3. Code changes required to run on Win32 -+2.5.1.3. Code changes required to run on Win32 - - Bugzilla on Win32 is supported out of the box from version 2.20; this means - that no code changes are required to get Bugzilla running. - _________________________________________________________________ - --2.4.1.4. Serving the web pages -+2.5.1.4. Serving the web pages - - As is the case on Unix based systems, any web server should be able to - handle Bugzilla; however, the Bugzilla Team still recommends Apache whenever -@@ -1186,18 +1205,18 @@ - every script to contain your path to perl perl instead of /usr/bin/perl. - _________________________________________________________________ - --2.4.1.5. Sending Email -+2.5.1.5. Sending Email - - To enable Bugzilla to send email on Windows, the server running the Bugzilla - code must be able to connect to, or act as, an SMTP server. - _________________________________________________________________ - --2.4.2. Mac OS X -+2.5.2. Mac OS X - - Making Bugzilla work on Mac OS X requires the following adjustments. - _________________________________________________________________ - --2.4.2.1. Sendmail -+2.5.2.1. Sendmail - - In Mac OS X 10.3 and later, Postfix is used as the built-in email server. - Postfix provides an executable that mimics sendmail enough to fool Bugzilla, -@@ -1210,7 +1229,7 @@ - parameter in Section 3.1. - _________________________________________________________________ - --2.4.2.2. Libraries & Perl Modules on Mac OS X -+2.5.2.2. Libraries & Perl Modules on Mac OS X - - Apple did not include the GD library with Mac OS X. Bugzilla needs this for - bug graphs. -@@ -1253,7 +1272,7 @@ - correctly with Bugzilla. - _________________________________________________________________ - --2.4.3. Linux-Mandrake 8.0 -+2.5.3. Linux-Mandrake 8.0 - - Linux-Mandrake 8.0 includes every required and optional library for - Bugzilla. The easiest way to install them is by using the urpmi utility. If -@@ -1270,9 +1289,9 @@ - for Bugzilla email integration - _________________________________________________________________ - --2.5. UNIX (non-root) Installation Notes -+2.6. UNIX (non-root) Installation Notes - --2.5.1. Introduction -+2.6.1. Introduction - - If you are running a *NIX OS as non-root, either due to lack of access (web - hosts, for example) or for security reasons, this will detail how to install -@@ -1281,7 +1300,7 @@ - notes will reference to steps in that guide.) - _________________________________________________________________ - --2.5.2. MySQL -+2.6.2. MySQL - - You may have MySQL installed as root. If you're setting up an account with a - web host, a MySQL account needs to be set up for you. From there, you can -@@ -1298,9 +1317,9 @@ - (for obvious reasons), so skip that step. - _________________________________________________________________ - --2.5.2.1. Running MySQL as Non-Root -+2.6.2.1. Running MySQL as Non-Root - --2.5.2.1.1. The Custom Configuration Method -+2.6.2.1.1. The Custom Configuration Method - - Create a file .my.cnf in your home directory (using /home/foo in this - example) as follows.... -@@ -1322,7 +1341,7 @@ - pid-file=/home/foo/mymysql/the.pid - _________________________________________________________________ - --2.5.2.1.2. The Custom Built Method -+2.6.2.1.2. The Custom Built Method - - You can install MySQL as a not-root, if you really need to. Build it with - PREFIX set to /home/foo/mysql, or use pre-installed executables, specifying -@@ -1331,7 +1350,7 @@ - -P option to specify a TCP port that is not in use. - _________________________________________________________________ - --2.5.2.1.3. Starting the Server -+2.6.2.1.3. Starting the Server - - After your mysqld program is built and any .my.cnf file is in place, you - must initialize the databases (ONCE). -@@ -1357,7 +1376,7 @@ - which you are a user! - _________________________________________________________________ - --2.5.3. Perl -+2.6.3. Perl - - On the extremely rare chance that you don't have Perl on the machine, you - will have to build the sources yourself. The following commands should get -@@ -1378,7 +1397,7 @@ - on this page. - _________________________________________________________________ - --2.5.4. Perl Modules -+2.6.4. Perl Modules - - Installing the Perl modules as a non-root user is probably the hardest part - of the process. There are two different methods: a completely independant -@@ -1388,7 +1407,7 @@ - space as the modules themselves, but takes more work to setup. - _________________________________________________________________ - --2.5.4.1. The Independant Method -+2.6.4.1. The Independant Method - - The independant method requires that you install your own personal version - of Perl, as detailed in the previous section. Once installed, you can start -@@ -1406,7 +1425,7 @@ - you have any hang-ups, you can consult the next section. - _________________________________________________________________ - --2.5.4.2. The Mixed Method -+2.6.4.2. The Mixed Method - - First, you'll need to configure CPAN to install modules in your home - directory. The CPAN FAQ says the following on this issue: -@@ -1472,7 +1491,7 @@ - install MIME::Parser - _________________________________________________________________ - --2.5.5. HTTP Server -+2.6.5. HTTP Server - - Ideally, this also needs to be installed as root and run under a special - webserver account. As long as the web server will allow the running of *.cgi -@@ -1480,7 +1499,7 @@ - (such as a .htaccess file), you should be good in this department. - _________________________________________________________________ - --2.5.5.1. Running Apache as Non-Root -+2.6.5.1. Running Apache as Non-Root - - You can run Apache as a non-root user, but the port will need to be set to - one above 1024. If you type httpd -V, you will get a list of the variables -@@ -1503,9 +1522,9 @@ - which you are a user! - _________________________________________________________________ - --2.5.6. Bugzilla -+2.6.6. Bugzilla - -- If you had to install Perl modules as a non-root user (Section 2.5.4) or to -+ If you had to install Perl modules as a non-root user (Section 2.6.4) or to - non-standard directories, you will need to change the scripts, setting the - correct location of the Perl modules: - -@@ -2705,8 +2724,8 @@ - - Example 4-3. Disabling Networking in MySQL - -- Simply enter the following in /etc/my.conf: --[myslqd] -+ Simply enter the following in /etc/my.cnf: -+[mysqld] - # Prevent network access to MySQL. - skip-networking - _________________________________________________________________ -@@ -3473,10 +3492,9 @@ - will be nice when the components table supports these same features, so you - could close a particular component for bug entry without having to close an - entire product... -- profiles: Ahh, so you were wondering where your precious user information w -- as -- stored? Here it is! With the passwords in plain text for all to see! (but -- sshh... don't tell your users!) -+ profiles: This table contains details for the current user accounts, -+ including the crypted hashes of the passwords used, the associated -+ login names, and the real name of the users. - profiles_activity: Need to know who did what when to who's profile? This'l - l - tell you, it's a pretty complete history. -@@ -5234,7 +5252,7 @@ - (perl, a webserver, an MTA, etc.) then installation of Bugzilla on a Windows - box should be no more difficult than on any other platform. As with any - installation, we recommend that you carefully and completely follow the -- installation instructions in Section 2.4.1. -+ installation instructions in Section 2.5.1. - - While doing so, don't forget to check out the very excellent guide to - Installing Bugzilla on Microsoft Windows written by Byron Jones. Thanks, -@@ -5393,8 +5411,8 @@ - - Try this link to view current bugs or requests for enhancement for Bugzilla. - -- You can view bugs marked for 2.22.1 release here. This list includes bugs -- for the 2.22.1 release that have already been fixed and checked into CVS. -+ You can view bugs marked for 2.22.2 release here. This list includes bugs -+ for the 2.22.2 release that have already been fixed and checked into CVS. - Please consult the Bugzilla Project Page for details on how to check current - sources out of CVS so you can have these bug fixes early! - -@@ -5418,9 +5436,9 @@ - indicate the text you are sending is a patch! - 3. Announce your patch and the associated URL - (http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) for discussion in -- the newsgroup (netscape.public.mozilla.webtools). You'll get a really -- good, fairly immediate reaction to the implications of your patch, which -- will also give us an idea how well-received the change would be. -+ the newsgroup (mozilla.support.bugzilla). You'll get a really good, -+ fairly immediate reaction to the implications of your patch, which will -+ also give us an idea how well-received the change would be. - 4. If it passes muster with minimal modification, the person to whom the - bug is assigned in Bugzilla is responsible for seeing the patch is - checked into CVS. -@@ -5439,8 +5457,7 @@ - - If you can't get checksetup.pl to run to completion, it normally explains - what's wrong and how to fix it. If you can't work it out, or if it's being -- uncommunicative, post the errors in the netscape.public.mozilla.webtools -- newsgroup. -+ uncommunicative, post the errors in the mozilla.support.bugzilla newsgroup. - - If you have made it all the way through Section 2.1 (Installation) and - Section 2.2 (Configuration) but accessing the Bugzilla URL doesn't work, the -@@ -5487,20 +5504,7 @@ - is recommended that they be world readable. - _________________________________________________________________ - --B.4. Bundle::Bugzilla makes me upgrade to Perl 5.6.1 -- -- Try executing perl -MCPAN -e 'install CPAN' and then continuing. -- -- Certain older versions of the CPAN toolset were somewhat naive about how to -- upgrade Perl modules. When a couple of modules got rolled into the core Perl -- distribution for 5.6.1, CPAN thought that the best way to get those modules -- up to date was to haul down the Perl distribution itself and build it. -- Needless to say, this has caused headaches for just about everybody. -- Upgrading to a newer version of CPAN with the commandline above should fix -- things. -- _________________________________________________________________ -- --B.5. DBD::Sponge::db prepare failed -+B.4. DBD::Sponge::db prepare failed - - The following error message may appear due to a bug in DBD::mysql (over - which the Bugzilla team have no control): -@@ -5528,7 +5532,7 @@ - (note the S added to NAME.) - _________________________________________________________________ - --B.6. cannot chdir(/var/spool/mqueue) -+B.5. cannot chdir(/var/spool/mqueue) - - If you are installing Bugzilla on SuSE Linux, or some other distributions - with "paranoid" security options, it is possible that the checksetup.pl -@@ -5541,7 +5545,7 @@ - /var/spool/mqueue directory. - _________________________________________________________________ - --B.7. Your vendor has not defined Fcntl macro O_NOINHERIT -+B.6. Your vendor has not defined Fcntl macro O_NOINHERIT - - This is caused by a bug in the version of File::Temp that is distributed - with perl 5.6.0. Many minor variations of this error have been reported: -@@ -5577,7 +5581,7 @@ - }; - _________________________________________________________________ - --B.8. Everybody is constantly being forced to relogin -+B.7. Everybody is constantly being forced to relogin - - The most-likely cause is that the "cookiepath" parameter is not set - correctly in the Bugzilla configuration. You can change this (if you're a -@@ -5631,7 +5635,7 @@ - browser (this is true starting with Bugzilla 2.18 and Bugzilla 2.16.5). - _________________________________________________________________ - --B.9. Some users are constantly being forced to relogin -+B.8. Some users are constantly being forced to relogin - - First, make sure cookies are enabled in the user's browser. - -@@ -5653,7 +5657,7 @@ - logged in. - _________________________________________________________________ - --B.10. index.cgi doesn't show up unless specified in the URL -+B.9. index.cgi doesn't show up unless specified in the URL - - You probably need to set up your web server in such a way that it will serve - the index.cgi page as an index page. -@@ -5662,7 +5666,7 @@ - the DirectoryIndex line as mentioned in Section 2.2.4.1. - _________________________________________________________________ - --B.11. checksetup.pl reports "Client does not support authentication protocol -+B.10. checksetup.pl reports "Client does not support authentication protocol - requested by server..." - - This error is occurring because you are using the new password encryption -@@ -5848,6 +5852,14 @@ - PPM Download Link: http://landfill.bugzilla.org/ppm/GD.ppd - Documentation: http://stein.cshl.org/WWW/software/GD/ - -+ Template::Plugin::GD: -+ -+ CPAN Download Page: http://search.cpan.org/dist/Template-GD/ -+ PPM Download Link: (Just install Template-Toolkit using the instruct -+ ions below) -+ Documentation: http://www.template-toolkit.org/docs/aqua/Modules/inde -+ x.html -+ - MIME::Base64: - - CPAN Download Page: http://search.cpan.org/dist/MIME-Base64/ -@@ -5885,11 +5897,13 @@ - PPM Download Page: http://landfill.bugzilla.org/ppm/GDTextUtil.ppd - Documentation: http://search.cpan.org/dist/GDTextUtil/Text/Align.pm - -- XML::Parser: -+ XML::Twig: - -- CPAN Download Page: http://search.cpan.org/dist/XML-Parser/ -- PPM Download Link: Part of core distribution. -- Documentation: http://www.perldoc.com/perl5.6.1/lib/XML/Parser.html -+ CPAN Download Page: http://search.cpan.org/dist/XML-Twig/ -+ PPM Download Link: http://ppm.activestate.com/PPMPackages/zips/8xx-b -+ uilds-only/Windows/XML-Twig-3.22.zip -+ Documentation: http://standards.ieee.org/resources/spasystem/twig/tw -+ ig_stable.html - - PatchReader: - -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/about.xml bugzilla-2.22.1/docs/xml/about.xml ---- bugzilla-2.22/docs/xml/about.xml 2006-04-22 19:45:10.000000000 -0700 -+++ bugzilla-2.22.1/docs/xml/about.xml 2006-06-06 08:25:33.000000000 -0700 -@@ -1,6 +1,6 @@ - -- -+ - - - About This Guide -@@ -207,9 +207,10 @@ - - - Also, thanks are due to the members of the -- -- netscape.public.mozilla.webtools -- newsgroup. Without your discussions, insight, suggestions, and patches, -+ -+ mozilla.support.bugzilla -+ newsgroup (and its predecessor, netscape.public.mozilla.webtools). -+ Without your discussions, insight, suggestions, and patches, - this could never have happened. - - -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/Bugzilla-Guide.xml bugzilla-2.22.1/docs/xml/Bugzilla-Guide.xml ---- bugzilla-2.22/docs/xml/Bugzilla-Guide.xml 2006-04-22 19:45:10.000000000 -0700 -+++ bugzilla-2.22.1/docs/xml/Bugzilla-Guide.xml 2006-10-15 01:32:58.000000000 -0700 -@@ -31,9 +31,9 @@ - For a devel release, simple bump bz-ver and bz-date - --> - -- -- -- -+ -+ -+ - - - -@@ -46,7 +46,7 @@ - - - -- -+ - - - -@@ -66,7 +66,7 @@ - - - -- -+ - - - -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/customization.xml bugzilla-2.22.1/docs/xml/customization.xml ---- bugzilla-2.22/docs/xml/customization.xml 2006-03-05 09:15:13.000000000 -0800 -+++ bugzilla-2.22.1/docs/xml/customization.xml 2006-06-09 04:31:01.000000000 -0700 -@@ -1007,9 +1007,9 @@ - could close a particular component for bug entry without having to close an - entire product... - --profiles: Ahh, so you were wondering where your precious user information was --stored? Here it is! With the passwords in plain text for all to see! (but --sshh... don't tell your users!) -+profiles: This table contains details for the current user accounts, -+including the crypted hashes of the passwords used, the associated -+login names, and the real name of the users. - - profiles_activity: Need to know who did what when to who's profile? This'll - tell you, it's a pretty complete history. -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/faq.xml bugzilla-2.22.1/docs/xml/faq.xml ---- bugzilla-2.22/docs/xml/faq.xml 2006-03-03 14:50:57.000000000 -0800 -+++ bugzilla-2.22.1/docs/xml/faq.xml 2006-06-06 08:25:33.000000000 -0700 -@@ -1573,7 +1573,7 @@ - Announce your patch and the associated URL - (http://bugzilla.mozilla.org/show_bug.cgi?id=XXXXXX) - for discussion in the newsgroup -- (netscape.public.mozilla.webtools). You'll get a -+ (mozilla.support.bugzilla). You'll get a - really good, fairly immediate reaction to the - implications of your patch, which will also give us - an idea how well-received the change would be. -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/installation.xml bugzilla-2.22.1/docs/xml/installation.xml ---- bugzilla-2.22/docs/xml/installation.xml 2006-03-03 14:23:18.000000000 -0800 -+++ bugzilla-2.22.1/docs/xml/installation.xml 2006-08-14 08:56:11.000000000 -0700 -@@ -1,5 +1,5 @@ - -- -+ - - Installing Bugzilla - -@@ -410,8 +410,8 @@ - - - -- XML::Parser -- (&min-xml-parser-ver;) for the XML interface -+ XML::Twig -+ (&min-xml-twig-ver;) for the XML interface - - - -@@ -508,15 +508,13 @@ - - - --
    -- XML::Parser (&min-xml-parser-ver;) -+
    -+ XML::Twig (&min-xml-twig-ver;) - -- The XML::Parser module is only required if you want to import -+ The XML::Twig module is only required if you want to import - XML bugs using the importxml.pl - script. This is required to use Bugzilla's "move bugs" feature; - you may also want to use it for migrating from another bug database. -- XML::Parser requires that the -- expat library is already installed on your machine. - -
    - -@@ -678,21 +676,11 @@ - to modify your /etc/my.cnf as below. - - -- -- If you are using MySQL 4.0 or newer, enter: -- - [mysqld] - # Allow packets up to 1M - max_allowed_packet=1M - - -- If you are using an older version of MySQL, enter: -- -- [mysqld] -- # Allow packets up to 1M -- set-variable = max_allowed_packet=1M -- -- - There is also a parameter in Bugzilla called 'maxattachmentsize' - (default = 1000 Kb) that controls the maximum allowable attachment - size. Attachments larger than either the -@@ -729,45 +717,6 @@ - Rebuilding the indexes can be done based on documentation found at - . - -- -- -- -- The ft_min_word_len parameter is only supported in MySQL v4 or higher. -- -- --
    -- --
    -- Permit attachments table to grow beyond 4GB -- -- -- By default, MySQL will limit the size of a table to 4GB. -- This limit is present even if the underlying filesystem -- has no such limit. To set a higher limit, follow these -- instructions. -- -- -- -- Run the MySQL command-line client and -- enter: -- -- -- mysql> ALTER TABLE attachments -- AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; -- -- -- -- The above command will change the limit to 20GB. Mysql will have -- to make a temporary copy of your entire table to do this. Ideally, -- you should do this when your attachments table is still small. -- -- -- -- -- This does not affect Big Files, attachments that are stored directly -- on disk instead of in the database. -- -- -
    - -
    -@@ -795,11 +744,7 @@ - - - -- Run the mysql command-line client. -- -- -- -- If you are using MySQL 4.0 or newer, enter: -+ Run the mysql command-line client and enter: - - - mysql> GRANT SELECT, INSERT, -@@ -808,21 +753,44 @@ - TO bugs@localhost IDENTIFIED BY '$db_pass'; - mysql> FLUSH PRIVILEGES; - -+
    -+ -+
    -+ Permit attachments table to grow beyond 4GB -+ -+ -+ By default, MySQL will limit the size of a table to 4GB. -+ This limit is present even if the underlying filesystem -+ has no such limit. To set a higher limit, follow these -+ instructions. -+ -+ - -- If you are using an older version of MySQL,the -- LOCK TABLES and -- CREATE TEMPORARY TABLES -- permissions will be unavailable and should be removed from -- the permissions list. In this case, the following command -- line can be used: -+ After you have completed the rest of the installation (or at least the -+ database setup parts), you should run the MySQL -+ command-line client and enter the following, replacing $bugs_db -+ with your Bugzilla database name (bugs by default): - - -- mysql> GRANT SELECT, INSERT, -- UPDATE, DELETE, INDEX, ALTER, CREATE, DROP, -- REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY -- '$db_pass'; -- mysql> FLUSH PRIVILEGES; --
    -+ -+ mysql> use $bugs_db -+ mysql> ALTER TABLE attachments -+ AVG_ROW_LENGTH=1000000, MAX_ROWS=20000; -+ -+ -+ -+ The above command will change the limit to 20GB. Mysql will have -+ to make a temporary copy of your entire table to do this. Ideally, -+ you should do this when your attachments table is still small. -+ -+ -+ -+ -+ This does not affect Big Files, attachments that are stored directly -+ on disk instead of in the database. -+ -+ -+ - - -
    -@@ -937,7 +905,9 @@ - the Bugzilla Team recommends Apache.) Regardless of which webserver - you are using, however, ensure that sensitive information is - not remotely available by properly applying the access controls in -- . -+ . You can run -+ testserver.pl to check if your web server serves -+ Bugzilla files as expected. - - -
    -@@ -1400,12 +1370,12 @@ - 201069. - - -- -+ - Parameters required to use LDAP Authentication: - - -- -- loginmethod -+ -+ user_verify_class - - This parameter should be set to LDAP - only if you will be using an LDAP directory -@@ -1413,7 +1383,7 @@ - fail to set up the other parameters listed below you will not be - able to log back in to Bugzilla one you log out. If this happens - to you, you will need to manually edit -- data/params and set loginmethod to -+ data/params and set user_verify_class to - DB. - - -@@ -1507,6 +1477,46 @@ -
    -
    - -+
    -+ Multiple Bugzilla databases with a single installation -+ -+ The previous instructions refered to a standard installation, with -+ one unique Bugzilla database. However, you may want to host several -+ distinct installations, without having several copies of the code. This is -+ possible by using the PROJECT environment variable. When accessed, -+ Bugzilla checks for the existence of this variable, and if present, uses -+ its value to check for an alternative configuration file named -+ localconfig.<PROJECT> in the same location as -+ the default one (localconfig). It also checks for -+ customized templates in a directory named -+ <PROJECT> in the same location as the -+ default one (template/<langcode>). By default -+ this is template/en/default so PROJECT's templates -+ would be located at template/en/PROJECT. -+ -+ To set up an alternate installation, just export PROJECT=foo before -+ running checksetup.pl for the first time. It will -+ result in a file called localconfig.foo instead of -+ localconfig. Edit this file as described above, with -+ reference to a new database, and re-run checksetup.pl -+ to populate it. That's all. -+ -+ Now you have to configure the web server to pass this environment -+ variable when accessed via an alternate URL, such as virtual host for -+ instance. The following is an example of how you could do it in Apache, -+ other Webservers may differ. -+ -+<VirtualHost 212.85.153.228:80> -+ ServerName foo.bar.baz -+ SetEnv PROJECT foo -+ Alias /bugzilla /var/www/bugzilla -+</VirtualHost> -+ -+ -+ -+ Don't forget to also export this variable before accessing Bugzilla -+ by other means, such as cron tasks for instance. -+
    - -
    - OS-Specific Installation Notes -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/modules.xml bugzilla-2.22.1/docs/xml/modules.xml ---- bugzilla-2.22/docs/xml/modules.xml 2005-12-30 07:39:01.000000000 -0800 -+++ bugzilla-2.22.1/docs/xml/modules.xml 2006-07-24 23:21:28.000000000 -0700 -@@ -149,6 +149,16 @@ - - - -+ Template::Plugin::GD: -+ -+ CPAN Download Page: -+ PPM Download Link: (Just install Template-Toolkit using the instructions below) -+ -+ Documentation: -+ -+ -+ -+ - MIME::Base64: - - CPAN Download Page: -@@ -199,11 +209,11 @@ - - - -- XML::Parser: -+ XML::Twig: - -- CPAN Download Page: -- PPM Download Link: Part of core distribution. -- Documentation: -+ CPAN Download Page: -+ PPM Download Link: -+ Documentation: - - - -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/security.xml bugzilla-2.22.1/docs/xml/security.xml ---- bugzilla-2.22/docs/xml/security.xml 2006-03-01 05:04:36.000000000 -0800 -+++ bugzilla-2.22.1/docs/xml/security.xml 2006-05-16 12:00:45.000000000 -0700 -@@ -1,5 +1,5 @@ - -- -+ - - - Bugzilla Security -@@ -147,9 +147,9 @@ - - Disabling Networking in MySQL - -- Simply enter the following in /etc/my.conf: -+ Simply enter the following in /etc/my.cnf: - --[myslqd] -+[mysqld] - # Prevent network access to MySQL. - skip-networking - -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/docs/xml/troubleshooting.xml bugzilla-2.22.1/docs/xml/troubleshooting.xml ---- bugzilla-2.22/docs/xml/troubleshooting.xml 2005-09-08 13:57:44.000000000 -0700 -+++ bugzilla-2.22.1/docs/xml/troubleshooting.xml 2006-06-07 13:10:30.000000000 -0700 -@@ -1,5 +1,5 @@ - -- -+ - - - Troubleshooting -@@ -15,7 +15,7 @@ - completion, it normally explains what's wrong and how to fix it. - If you can't work it out, or if it's being uncommunicative, post - the errors in the -- netscape.public.mozilla.webtools -+ mozilla.support.bugzilla - newsgroup. - - -@@ -82,24 +82,6 @@ - - -
    -- --
    -- Bundle::Bugzilla makes me upgrade to Perl 5.6.1 -- -- Try executing perl -MCPAN -e 'install CPAN' -- and then continuing. -- -- -- Certain older versions of the CPAN toolset were somewhat naive about -- how to upgrade Perl modules. When a couple of modules got rolled into the -- core Perl distribution for 5.6.1, CPAN thought that the best way to get -- those modules up to date was to haul down the Perl distribution itself and -- build it. Needless to say, this has caused headaches for just about -- everybody. Upgrading to a newer version of CPAN with the -- commandline above should fix things. -- --
    -- - -
    - DBD::Sponge::db prepare failed -@@ -274,7 +256,7 @@ - -
    - --
    -+
    - Some users are constantly being forced to relogin - - First, make sure cookies are enabled in the user's browser. -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/duplicates.cgi bugzilla-2.22.1/duplicates.cgi ---- bugzilla-2.22/duplicates.cgi 2005-11-13 09:50:47.000000000 -0800 -+++ bugzilla-2.22.1/duplicates.cgi 2006-06-19 05:16:05.000000000 -0700 -@@ -104,7 +104,7 @@ - my $today = days_ago(0); - my $yesterday = days_ago(1); - --# We don't know the exact file name, because the extention depends on the -+# We don't know the exact file name, because the extension depends on the - # underlying dbm library, which could be anything. We can't glob, because - # perl < 5.6 considers if (<*>) { ... } to be tainted - # Instead, just check the return value for today's data and yesterday's, -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editclassifications.cgi bugzilla-2.22.1/editclassifications.cgi ---- bugzilla-2.22/editclassifications.cgi 2005-10-13 16:42:32.000000000 -0700 -+++ bugzilla-2.22.1/editclassifications.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -29,6 +29,7 @@ - use Bugzilla::Error; - use Bugzilla::Config qw($datadir); - use Bugzilla::Classification; -+use Bugzilla::Token; - - require "globals.pl"; - -@@ -68,7 +69,8 @@ - # - my $action = trim($cgi->param('action') || ''); - my $class_name = trim($cgi->param('classification') || ''); -- -+my $token = $cgi->param('token'); -+ - # - # action='' -> Show nice list of classifications - # -@@ -88,6 +90,7 @@ - # - - if ($action eq 'add') { -+ $vars->{'token'} = issue_session_token('add_classification'); - LoadTemplate($action); - } - -@@ -96,7 +99,7 @@ - # - - if ($action eq 'new') { -- -+ check_token_data($token, 'add_classification'); - $class_name || ThrowUserError("classification_not_specified"); - - my $classification = -@@ -119,7 +122,7 @@ - unlink "$datadir/versioncache"; - - $vars->{'classification'} = $class_name; -- -+ delete_token($token); - LoadTemplate($action); - } - -@@ -143,7 +146,7 @@ - } - - $vars->{'classification'} = $classification; -- -+ $vars->{'token'} = issue_session_token('delete_classification'); - LoadTemplate($action); - } - -@@ -152,7 +155,7 @@ - # - - if ($action eq 'delete') { -- -+ check_token_data($token, 'delete_classification'); - my $classification = - Bugzilla::Classification::check_classification($class_name); - -@@ -176,7 +179,7 @@ - unlink "$datadir/versioncache"; - - $vars->{'classification'} = $classification; -- -+ delete_token($token); - LoadTemplate($action); - } - -@@ -192,7 +195,7 @@ - Bugzilla::Classification::check_classification($class_name); - - $vars->{'classification'} = $classification; -- -+ $vars->{'token'} = issue_session_token('edit_classification'); - LoadTemplate($action); - } - -@@ -201,7 +204,7 @@ - # - - if ($action eq 'update') { -- -+ check_token_data($token, 'edit_classification'); - $class_name || ThrowUserError("classification_not_specified"); - - my $class_old_name = trim($cgi->param('classificationold') || ''); -@@ -240,7 +243,7 @@ - } - - $dbh->bz_unlock_tables(); -- -+ delete_token($token); - LoadTemplate($action); - } - -@@ -257,26 +260,30 @@ - WHERE name = ?"); - - if (defined $cgi->param('add_products')) { -+ check_token_data($token, 'reclassify_classifications'); - if (defined $cgi->param('prodlist')) { - foreach my $prod ($cgi->param("prodlist")) { - trick_taint($prod); - $sth->execute($classification->id, $prod); - } - } -+ delete_token($token); - } elsif (defined $cgi->param('remove_products')) { -+ check_token_data($token, 'reclassify_classifications'); - if (defined $cgi->param('myprodlist')) { - foreach my $prod ($cgi->param("myprodlist")) { - trick_taint($prod); - $sth->execute(1,$prod); - } - } -+ delete_token($token); - } - - my @classifications = - Bugzilla::Classification::get_all_classifications; - $vars->{'classifications'} = \@classifications; - $vars->{'classification'} = $classification; -- -+ $vars->{'token'} = issue_session_token('reclassify_classifications'); - LoadTemplate($action); - } - -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editcomponents.cgi bugzilla-2.22.1/editcomponents.cgi ---- bugzilla-2.22/editcomponents.cgi 2006-01-06 06:38:35.000000000 -0800 -+++ bugzilla-2.22.1/editcomponents.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -39,6 +39,7 @@ - use Bugzilla::Product; - use Bugzilla::Component; - use Bugzilla::Bug; -+use Bugzilla::Token; - - my $cgi = Bugzilla->cgi; - my $dbh = Bugzilla->dbh; -@@ -66,6 +67,7 @@ - my $comp_name = trim($cgi->param('component') || ''); - my $action = trim($cgi->param('action') || ''); - my $showbugcounts = (defined $cgi->param('showbugcounts')); -+my $token = $cgi->param('token'); - - # - # product = '' -> Show nice list of products -@@ -111,7 +113,7 @@ - # - - if ($action eq 'add') { -- -+ $vars->{'token'} = issue_session_token('add_component'); - $vars->{'product'} = $product->name; - $template->process("admin/components/create.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -@@ -126,7 +128,7 @@ - # - - if ($action eq 'new') { -- -+ check_token_data($token, 'add_component'); - # Do the user matching - Bugzilla::User::match_field ($cgi, { - 'initialowner' => { 'type' => 'single' }, -@@ -213,6 +215,7 @@ - - $vars->{'name'} = $comp_name; - $vars->{'product'} = $product->name; -+ delete_token($token); - $template->process("admin/components/created.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); -@@ -229,7 +232,7 @@ - # - - if ($action eq 'del') { -- -+ $vars->{'token'} = issue_session_token('delete_component'); - $vars->{'comp'} = - Bugzilla::Component::check_component($product, $comp_name); - -@@ -248,7 +251,7 @@ - # - - if ($action eq 'delete') { -- -+ check_token_data($token, 'delete_component'); - my $component = - Bugzilla::Component::check_component($product, $comp_name); - -@@ -282,6 +285,7 @@ - - $vars->{'name'} = $component->name; - $vars->{'product'} = $product->name; -+ delete_token($token); - $template->process("admin/components/deleted.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - exit; -@@ -296,7 +300,7 @@ - # - - if ($action eq 'edit') { -- -+ $vars->{'token'} = issue_session_token('edit_component'); - $vars->{'comp'} = - Bugzilla::Component::check_component($product, $comp_name); - -@@ -316,7 +320,7 @@ - # - - if ($action eq 'update') { -- -+ check_token_data($token, 'edit_component'); - # Do the user matching - Bugzilla::User::match_field ($cgi, { - 'initialowner' => { 'type' => 'single' }, -@@ -405,6 +409,7 @@ - - $vars->{'name'} = $comp_name; - $vars->{'product'} = $product->name; -+ delete_token($token); - $template->process("admin/components/updated.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editflagtypes.cgi bugzilla-2.22.1/editflagtypes.cgi ---- bugzilla-2.22/editflagtypes.cgi 2006-01-11 05:16:39.000000000 -0800 -+++ bugzilla-2.22.1/editflagtypes.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -38,6 +38,7 @@ - use Bugzilla::FlagType; - use Bugzilla::Group; - use Bugzilla::Util; -+use Bugzilla::Token; - - my $template = Bugzilla->template; - my $vars = {}; -@@ -66,11 +67,12 @@ - - # Determine whether to use the action specified by the user or the default. - my $action = $cgi->param('action') || 'list'; -+my $token = $cgi->param('token'); - my @categoryActions; - - if (@categoryActions = grep(/^categoryAction-.+/, $cgi->param())) { - $categoryActions[0] =~ s/^categoryAction-//; -- processCategoryChange($categoryActions[0]); -+ processCategoryChange($categoryActions[0], $token); - exit; - } - -@@ -78,11 +80,11 @@ - elsif ($action eq 'enter') { edit(); } - elsif ($action eq 'copy') { edit(); } - elsif ($action eq 'edit') { edit(); } --elsif ($action eq 'insert') { insert(); } --elsif ($action eq 'update') { update(); } -+elsif ($action eq 'insert') { insert($token); } -+elsif ($action eq 'update') { update($token); } - elsif ($action eq 'confirmdelete') { confirmDelete(); } --elsif ($action eq 'delete') { deleteType(); } --elsif ($action eq 'deactivate') { deactivate(); } -+elsif ($action eq 'delete') { deleteType($token); } -+elsif ($action eq 'deactivate') { deactivate($token); } - else { - ThrowCodeError("action_unrecognized", { action => $action }); - } -@@ -128,9 +130,11 @@ - $vars->{'last_action'} = $cgi->param('action'); - if ($cgi->param('action') eq 'enter' || $cgi->param('action') eq 'copy') { - $vars->{'action'} = "insert"; -+ $vars->{'token'} = issue_session_token('add_flagtype'); - } - else { - $vars->{'action'} = "update"; -+ $vars->{'token'} = issue_session_token('edit_flagtype'); - } - - # If copying or editing an existing flag type, retrieve it. -@@ -168,7 +172,7 @@ - } - - sub processCategoryChange { -- my $categoryAction = shift; -+ my ($categoryAction, $token) = @_; - validateIsActive(); - validateIsRequestable(); - validateIsRequesteeble(); -@@ -218,7 +222,8 @@ - $type->{'inclusions'} = \%inclusions; - $type->{'exclusions'} = \%exclusions; - $vars->{'type'} = $type; -- -+ $vars->{'token'} = $token; -+ - # Return the appropriate HTTP response headers. - print $cgi->header(); - -@@ -243,6 +248,8 @@ - } - - sub insert { -+ my $token = shift; -+ check_token_data($token, 'add_flagtype'); - my $name = validateName(); - my $description = validateDescription(); - my $cc_list = validateCCList(); -@@ -285,6 +292,7 @@ - - $vars->{'name'} = $cgi->param('name'); - $vars->{'message'} = "flag_type_created"; -+ delete_token($token); - - # Return the appropriate HTTP response headers. - print $cgi->header(); -@@ -296,6 +304,8 @@ - - - sub update { -+ my $token = shift; -+ check_token_data($token, 'edit_flagtype'); - my $id = validateID(); - my $name = validateName(); - my $description = validateDescription(); -@@ -368,6 +378,7 @@ - - $vars->{'name'} = $cgi->param('name'); - $vars->{'message'} = "flag_type_changes_saved"; -+ delete_token($token); - - # Return the appropriate HTTP response headers. - print $cgi->header(); -@@ -390,7 +401,7 @@ - if ($count > 0) { - $vars->{'flag_type'} = Bugzilla::FlagType::get($id); - $vars->{'flag_count'} = scalar($count); -- -+ $vars->{'token'} = issue_session_token('delete_flagtype'); - # Return the appropriate HTTP response headers. - print $cgi->header(); - -@@ -399,12 +410,15 @@ - || ThrowTemplateError($template->error()); - } - else { -- deleteType(); -+ my $token = issue_session_token('delete_flagtype'); -+ deleteType($token); - } - } - - - sub deleteType { -+ my $token = shift; -+ check_token_data($token, 'delete_flagtype'); - my $id = validateID(); - my $dbh = Bugzilla->dbh; - -@@ -423,6 +437,7 @@ - $dbh->bz_unlock_tables(); - - $vars->{'message'} = "flag_type_deleted"; -+ delete_token($token); - - # Return the appropriate HTTP response headers. - print $cgi->header(); -@@ -434,6 +449,8 @@ - - - sub deactivate { -+ my $token = shift; -+ check_token_data($token, 'delete_flagtype'); - my $id = validateID(); - validateIsActive(); - -@@ -445,7 +462,8 @@ - - $vars->{'message'} = "flag_type_deactivated"; - $vars->{'flag_type'} = Bugzilla::FlagType::get($id); -- -+ delete_token($token); -+ - # Return the appropriate HTTP response headers. - print $cgi->header(); - -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editgroups.cgi bugzilla-2.22.1/editgroups.cgi ---- bugzilla-2.22/editgroups.cgi 2006-01-22 12:10:08.000000000 -0800 -+++ bugzilla-2.22.1/editgroups.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -31,8 +31,10 @@ - - use Bugzilla; - use Bugzilla::Constants; -+use Bugzilla::Config qw(:DEFAULT :admin); - use Bugzilla::Group; - use Bugzilla::User; -+use Bugzilla::Token; - require "globals.pl"; - - my $cgi = Bugzilla->cgi; -@@ -50,6 +52,7 @@ - object => "groups"}); - - my $action = trim($cgi->param('action') || ''); -+my $token = $cgi->param('token'); - - # RederiveRegexp: update user_group_map with regexp-based grants - sub RederiveRegexp -@@ -249,6 +252,7 @@ - $vars->{'isactive'} = $isactive; - $vars->{'isbuggroup'} = $isbuggroup; - $vars->{'groups'} = \@groups; -+ $vars->{'token'} = issue_session_token('edit_group'); - - print $cgi->header(); - $template->process("admin/groups/edit.html.tmpl", $vars) -@@ -264,6 +268,7 @@ - # - - if ($action eq 'add') { -+ $vars->{'token'} = issue_session_token('add_group'); - print $cgi->header(); - $template->process("admin/groups/create.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -@@ -278,6 +283,7 @@ - # - - if ($action eq 'new') { -+ check_token_data($token, 'add_group'); - # Check that a not already used group name is given, that - # a description is also given and check if the regular - # expression is valid (if any). -@@ -314,6 +320,7 @@ - undef, ($gid, CONTROLMAPSHOWN, CONTROLMAPNA)); - } - RederiveRegexp($regexp, $gid); -+ delete_token($token); - - print $cgi->header(); - $template->process("admin/groups/created.html.tmpl", $vars) -@@ -338,6 +345,17 @@ - if (!$isbuggroup) { - ThrowUserError("system_group_not_deletable", { name => $name }); - } -+ # Groups having a special role cannot be deleted. -+ my @special_groups; -+ foreach my $special_group ('chartgroup', 'insidergroup', 'timetrackinggroup') { -+ if ($name eq Param($special_group)) { -+ push(@special_groups, $special_group); -+ } -+ } -+ if (scalar(@special_groups)) { -+ ThrowUserError('group_has_special_role', {'name' => $name, -+ 'groups' => \@special_groups}); -+ } - - # Group inheritance no longer appears in user_group_map. - my $grouplist = join(',', @{Bugzilla::User->flatten_group_membership($gid)}); -@@ -368,6 +386,7 @@ - $vars->{'hasproduct'} = $hasproduct; - $vars->{'hasflags'} = $hasflags; - $vars->{'buglist'} = $buglist; -+ $vars->{'token'} = issue_session_token('delete_group'); - - print $cgi->header(); - $template->process("admin/groups/delete.html.tmpl", $vars) -@@ -381,6 +400,7 @@ - # - - if ($action eq 'delete') { -+ check_token_data($token, 'delete_group'); - # Check that an existing group ID is given - my $gid = CheckGroupID($cgi->param('group')); - my ($name, $isbuggroup) = -@@ -391,6 +411,17 @@ - if (!$isbuggroup) { - ThrowUserError("system_group_not_deletable", { name => $name }); - } -+ # Groups having a special role cannot be deleted. -+ my @special_groups; -+ foreach my $special_group ('chartgroup', 'insidergroup', 'timetrackinggroup') { -+ if ($name eq Param($special_group)) { -+ push(@special_groups, $special_group); -+ } -+ } -+ if (scalar(@special_groups)) { -+ ThrowUserError('group_has_special_role', {'name' => $name, -+ 'groups' => \@special_groups}); -+ } - - my $cantdelete = 0; - -@@ -426,32 +457,33 @@ - $cantdelete = 1; - } - -- if (!$cantdelete) { -- $dbh->do('UPDATE flagtypes SET grant_group_id = ? -- WHERE grant_group_id = ?', -- undef, (undef, $gid)); -- $dbh->do('UPDATE flagtypes SET request_group_id = ? -- WHERE request_group_id = ?', -- undef, (undef, $gid)); -- $dbh->do('DELETE FROM user_group_map WHERE group_id = ?', -- undef, $gid); -- $dbh->do('DELETE FROM group_group_map -- WHERE grantor_id = ? OR member_id = ?', -- undef, ($gid, $gid)); -- $dbh->do('DELETE FROM bug_group_map WHERE group_id = ?', -- undef, $gid); -- $dbh->do('DELETE FROM group_control_map WHERE group_id = ?', -- undef, $gid); -- $dbh->do('DELETE FROM whine_schedules -- WHERE mailto_type = ? AND mailto = ?', -- undef, (MAILTO_GROUP, $gid)); -- $dbh->do('DELETE FROM groups WHERE id = ?', -- undef, $gid); -- } -- - $vars->{'gid'} = $gid; - $vars->{'name'} = $name; -- $vars->{'cantdelete'} = $cantdelete; -+ -+ ThrowUserError('group_cannot_delete', $vars) if $cantdelete; -+ -+ $dbh->do('UPDATE flagtypes SET grant_group_id = ? -+ WHERE grant_group_id = ?', -+ undef, (undef, $gid)); -+ $dbh->do('UPDATE flagtypes SET request_group_id = ? -+ WHERE request_group_id = ?', -+ undef, (undef, $gid)); -+ $dbh->do('DELETE FROM user_group_map WHERE group_id = ?', -+ undef, $gid); -+ $dbh->do('DELETE FROM group_group_map -+ WHERE grantor_id = ? OR member_id = ?', -+ undef, ($gid, $gid)); -+ $dbh->do('DELETE FROM bug_group_map WHERE group_id = ?', -+ undef, $gid); -+ $dbh->do('DELETE FROM group_control_map WHERE group_id = ?', -+ undef, $gid); -+ $dbh->do('DELETE FROM whine_schedules -+ WHERE mailto_type = ? AND mailto = ?', -+ undef, (MAILTO_GROUP, $gid)); -+ $dbh->do('DELETE FROM groups WHERE id = ?', -+ undef, $gid); -+ -+ delete_token($token); - - print $cgi->header(); - $template->process("admin/groups/deleted.html.tmpl", $vars) -@@ -465,7 +497,8 @@ - # - - if ($action eq 'postchanges') { -- # ZLL: Bug 181589: we need to have something to remove explictly listed users from -+ check_token_data($token, 'edit_group'); -+ # ZLL: Bug 181589: we need to have something to remove explicitly listed users from - # groups in order for the conversion to 2.18 groups to work - my $action; - -@@ -486,7 +519,8 @@ - if ($action == 2) { - $vars->{'regexp'} = $regexp; - } -- -+ delete_token($token); -+ - print $cgi->header(); - $template->process("admin/groups/change.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -@@ -598,6 +632,16 @@ - $chgs = 1; - $dbh->do('UPDATE groups SET name = ? WHERE id = ?', - undef, ($name, $gid)); -+ # If the group is used by some parameters, we have to update -+ # these parameters too. -+ my $update_params = 0; -+ foreach my $group ('chartgroup', 'insidergroup', 'timetrackinggroup') { -+ if ($cgi->param('oldname') eq Param($group)) { -+ SetParam($group, $name); -+ $update_params = 1; -+ } -+ } -+ WriteParams() if $update_params; - } - if ($desc ne $cgi->param('olddesc')) { - $chgs = 1; -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editkeywords.cgi bugzilla-2.22.1/editkeywords.cgi ---- bugzilla-2.22/editkeywords.cgi 2005-12-11 18:38:40.000000000 -0800 -+++ bugzilla-2.22.1/editkeywords.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -28,6 +28,7 @@ - use Bugzilla; - use Bugzilla::Constants; - use Bugzilla::Config qw(:DEFAULT $datadir); -+use Bugzilla::Token; - - my $cgi = Bugzilla->cgi; - my $dbh = Bugzilla->dbh; -@@ -76,6 +77,7 @@ - object => "keywords"}); - - my $action = trim($cgi->param('action') || ''); -+my $token = $cgi->param('token'); - $vars->{'action'} = $action; - - -@@ -101,6 +103,7 @@ - - - if ($action eq 'add') { -+ $vars->{'token'} = issue_session_token('add_keyword'); - print $cgi->header(); - - $template->process("admin/keywords/create.html.tmpl", $vars) -@@ -114,7 +117,8 @@ - # - - if ($action eq 'new') { -- # Cleanups and valididy checks -+ check_token_data($token, 'add_keyword'); -+ # Cleanups and validity checks - - my $name = trim($cgi->param('name') || ''); - my $description = trim($cgi->param('description') || ''); -@@ -154,6 +158,7 @@ - - # Make versioncache flush - unlink "$datadir/versioncache"; -+ delete_token($token); - - print $cgi->header(); - -@@ -193,6 +198,7 @@ - $vars->{'name'} = $name; - $vars->{'description'} = $description; - $vars->{'bug_count'} = $bugs; -+ $vars->{'token'} = issue_session_token('edit_keyword'); - - print $cgi->header(); - -@@ -208,6 +214,7 @@ - # - - if ($action eq 'update') { -+ check_token_data($token, 'edit_keyword'); - my $id = ValidateKeyID(scalar $cgi->param('id')); - - my $name = trim($cgi->param('name') || ''); -@@ -228,6 +235,7 @@ - - # Make versioncache flush - unlink "$datadir/versioncache"; -+ delete_token($token); - - print $cgi->header(); - -@@ -250,10 +258,14 @@ - WHERE keywordid = ?', - undef, $id); - -+ # We need this token even if there is no bug using this keyword. -+ $token = issue_session_token('delete_keyword'); -+ - if ($bugs) { - $vars->{'bug_count'} = $bugs; - $vars->{'keyword_id'} = $id; - $vars->{'name'} = $name; -+ $vars->{'token'} = $token; - - print $cgi->header(); - -@@ -263,12 +275,15 @@ - exit; - } - } -+ # We cannot do this check earlier as we have to check 'reallydelete' first. -+ check_token_data($token, 'delete_keyword'); - - $dbh->do('DELETE FROM keywords WHERE keywordid = ?', undef, $id); - $dbh->do('DELETE FROM keyworddefs WHERE id = ?', undef, $id); - - # Make versioncache flush - unlink "$datadir/versioncache"; -+ delete_token($token); - - print $cgi->header(); - -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editmilestones.cgi bugzilla-2.22.1/editmilestones.cgi ---- bugzilla-2.22/editmilestones.cgi 2006-01-06 06:38:35.000000000 -0800 -+++ bugzilla-2.22.1/editmilestones.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -12,7 +12,7 @@ - # Matt Masson - # - # Contributors : Gavin Shelley --# Frdric Buclin -+# Frédéric Buclin - # - - -@@ -26,6 +26,7 @@ - use Bugzilla::Product; - use Bugzilla::Milestone; - use Bugzilla::Bug; -+use Bugzilla::Token; - - my $cgi = Bugzilla->cgi; - my $dbh = Bugzilla->dbh; -@@ -54,6 +55,7 @@ - my $sortkey = trim($cgi->param('sortkey') || 0); - my $action = trim($cgi->param('action') || ''); - my $showbugcounts = (defined $cgi->param('showbugcounts')); -+my $token = $cgi->param('token'); - - # - # product = '' -> Show nice list of products -@@ -103,7 +105,7 @@ - # - - if ($action eq 'add') { -- -+ $vars->{'token'} = issue_session_token('add_milestone'); - $vars->{'product'} = $product->name; - $template->process("admin/milestones/create.html.tmpl", - $vars) -@@ -119,7 +121,7 @@ - # - - if ($action eq 'new') { -- -+ check_token_data($token, 'add_milestone'); - $milestone_name || ThrowUserError('milestone_blank_name'); - - if (length($milestone_name) > 20) { -@@ -147,6 +149,7 @@ - - # Make versioncache flush - unlink "$datadir/versioncache"; -+ delete_token($token); - - $vars->{'name'} = $milestone_name; - $vars->{'product'} = $product->name; -@@ -179,6 +182,7 @@ - } - - $vars->{'bug_count'} = $milestone->bug_count; -+ $vars->{'token'} = issue_session_token('delete_milestone'); - - $template->process("admin/milestones/confirm-delete.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -@@ -192,7 +196,7 @@ - # - - if ($action eq 'delete') { -- -+ check_token_data($token, 'delete_milestone'); - my $milestone = - Bugzilla::Milestone::check_milestone($product, - $milestone_name); -@@ -233,6 +237,7 @@ - undef, ($product->id, $milestone->name)); - - unlink "$datadir/versioncache"; -+ delete_token($token); - - $template->process("admin/milestones/deleted.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -@@ -256,6 +261,7 @@ - $vars->{'sortkey'} = $milestone->sortkey; - $vars->{'name'} = $milestone->name; - $vars->{'product'} = $product->name; -+ $vars->{'token'} = issue_session_token('edit_milestone'); - - $template->process("admin/milestones/edit.html.tmpl", - $vars) -@@ -271,7 +277,7 @@ - # - - if ($action eq 'update') { -- -+ check_token_data($token, 'edit_milestone'); - my $milestone_old_name = trim($cgi->param('milestoneold') || ''); - my $milestone_old = - Bugzilla::Milestone::check_milestone($product, -@@ -350,6 +356,7 @@ - } - - $dbh->bz_unlock_tables(); -+ delete_token($token); - - $vars->{'name'} = $milestone_name; - $vars->{'product'} = $product->name; -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editparams.cgi bugzilla-2.22.1/editparams.cgi ---- bugzilla-2.22/editparams.cgi 2006-03-06 14:16:24.000000000 -0800 -+++ bugzilla-2.22.1/editparams.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -28,6 +28,7 @@ - use Bugzilla::Constants; - use Bugzilla::Config qw(:DEFAULT :admin :params $datadir); - use Bugzilla::Config::Common; -+use Bugzilla::Token; - - require "globals.pl"; - use vars qw(@parampanels); -@@ -45,6 +46,7 @@ - object => "parameters"}); - - my $action = trim($cgi->param('action') || ''); -+my $token = $cgi->param('token'); - my $current_panel = $cgi->param('section') || 'core'; - $current_panel =~ /^([A-Za-z0-9_-]+)$/; - $current_panel = $1; -@@ -69,6 +71,7 @@ - $vars->{panels} = \@panels; - - if ($action eq 'save' && $current_module) { -+ check_token_data($token, 'edit_parameters'); - my @changes = (); - my @module_param_list = "Bugzilla::Config::${current_module}"->get_param_list(); - -@@ -129,7 +132,10 @@ - - WriteParams(); - unlink "$datadir/versioncache"; -+ delete_token($token); - } - -+$vars->{'token'} = issue_session_token('edit_parameters'); -+ - $template->process("admin/params/editparams.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editproducts.cgi bugzilla-2.22.1/editproducts.cgi ---- bugzilla-2.22/editproducts.cgi 2006-02-28 14:09:46.000000000 -0800 -+++ bugzilla-2.22.1/editproducts.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -41,6 +41,7 @@ - use Bugzilla::Product; - use Bugzilla::Classification; - use Bugzilla::Milestone; -+use Bugzilla::Token; - - # Shut up misguided -w warnings about "used only once". "use vars" just - # doesn't work for me. -@@ -72,6 +73,7 @@ - my $product_name = trim($cgi->param('product') || ''); - my $action = trim($cgi->param('action') || ''); - my $showbugcounts = (defined $cgi->param('showbugcounts')); -+my $token = $cgi->param('token'); - - # - # product = '' -> Show nice list of classifications (if -@@ -132,6 +134,8 @@ - Bugzilla::Classification::check_classification($classification_name); - $vars->{'classification'} = $classification; - } -+ $vars->{'token'} = issue_session_token('add_product'); -+ - $template->process("admin/products/create.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - -@@ -144,7 +148,7 @@ - # - - if ($action eq 'new') { -- -+ check_token_data($token, 'add_product'); - # Cleanups and validity checks - - my $classification_id = 1; -@@ -245,7 +249,7 @@ - - my $gid = $dbh->bz_last_key('groups', 'id'); - -- # If we created a new group, give the "admin" group priviledges -+ # If we created a new group, give the "admin" group privileges - # initially. - my $admin = GroupNameToId('admin'); - -@@ -307,6 +311,7 @@ - } - # Make versioncache flush - unlink "$datadir/versioncache"; -+ delete_token($token); - - $vars->{'product'} = $product; - -@@ -341,6 +346,7 @@ - } - - $vars->{'product'} = $product; -+ $vars->{'token'} = issue_session_token('delete_product'); - - $template->process("admin/products/confirm-delete.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -@@ -352,6 +358,7 @@ - # - - if ($action eq 'delete') { -+ check_token_data($token, 'delete_product'); - # First make sure the product name is valid. - my $product = Bugzilla::Product::check_product($product_name); - -@@ -414,6 +421,7 @@ - $dbh->bz_unlock_tables(); - - unlink "$datadir/versioncache"; -+ delete_token($token); - - $template->process("admin/products/deleted.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -@@ -469,9 +477,9 @@ - } - } - $vars->{'group_controls'} = $group_controls; -- - $vars->{'product'} = $product; -- -+ $vars->{'token'} = issue_session_token('edit_product'); -+ - $template->process("admin/products/edit.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - -@@ -483,6 +491,7 @@ - # - - if ($action eq 'updategroupcontrols') { -+ check_token_data($token, 'edit_group_controls'); - # First make sure the product name is valid. - my $product = Bugzilla::Product::check_product($product_name); - -@@ -724,10 +733,10 @@ - } - $dbh->bz_unlock_tables(); - -- $vars->{'removed_na'} = \@removed_na; -+ delete_token($token); - -+ $vars->{'removed_na'} = \@removed_na; - $vars->{'added_mandatory'} = \@added_mandatory; -- - $vars->{'product'} = $product; - - $template->process("admin/products/groupcontrol/updated.html.tmpl", $vars) -@@ -739,7 +748,7 @@ - # action='update' -> update the product - # - if ($action eq 'update') { -- -+ check_token_data($token, 'edit_product'); - my $product_old_name = trim($cgi->param('product_old_name') || ''); - my $description = trim($cgi->param('description') || ''); - my $disallownew = trim($cgi->param('disallownew') || ''); -@@ -974,8 +983,9 @@ - } - - $vars->{'confirmedbugs'} = \@updated_bugs; -- $vars->{'changer'} = $whoid; -+ $vars->{'changer'} = $user->login; - } -+ delete_token($token); - - $vars->{'old_product'} = $product_old; - $vars->{'product'} = $product; -@@ -1018,6 +1028,7 @@ - - $vars->{'product'} = $product; - $vars->{'groups'} = $groups; -+ $vars->{'token'} = issue_session_token('edit_group_controls'); - - $vars->{'const'} = { - 'CONTROLMAPNA' => CONTROLMAPNA, -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editsettings.cgi bugzilla-2.22.1/editsettings.cgi ---- bugzilla-2.22/editsettings.cgi 2005-10-24 16:11:55.000000000 -0700 -+++ bugzilla-2.22.1/editsettings.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -22,6 +22,7 @@ - use Bugzilla; - use Bugzilla::Constants; - use Bugzilla::User::Setting; -+use Bugzilla::Token; - - require "globals.pl"; - -@@ -79,9 +80,12 @@ - object => "settings"}); - - my $action = trim($cgi->param('action') || 'load'); -+my $token = $cgi->param('token'); - - if ($action eq 'update') { -+ check_token_data($token, 'edit_settings'); - SaveSettings(); -+ delete_token($token); - $vars->{'changes_saved'} = 1; - - $template->process("admin/settings/updated.html.tmpl", $vars) -@@ -92,6 +96,7 @@ - - if ($action eq 'load') { - LoadSettings(); -+ $vars->{'token'} = issue_session_token('edit_settings'); - - $template->process("admin/settings/edit.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editusers.cgi bugzilla-2.22.1/editusers.cgi ---- bugzilla-2.22/editusers.cgi 2006-01-03 00:40:45.000000000 -0800 -+++ bugzilla-2.22.1/editusers.cgi 2006-10-14 15:05:54.000000000 -0700 -@@ -31,6 +31,7 @@ - use Bugzilla::Util; - use Bugzilla::Field; - use Bugzilla::Group; -+use Bugzilla::Token; - - my $user = Bugzilla->login(LOGIN_REQUIRED); - -@@ -55,6 +56,7 @@ - my $action = $cgi->param('action') || 'search'; - my $otherUserID = $cgi->param('userid'); - my $otherUserLogin = $cgi->param('user'); -+my $token = $cgi->param('token'); - - # Prefill template vars with data used in all or nearly all templates - $vars->{'editusers'} = $editusers; -@@ -168,6 +170,8 @@ - action => "add", - object => "users"}); - -+ $vars->{'token'} = issue_session_token('add_user'); -+ - $template->process('admin/users/create.html.tmpl', $vars) - || ThrowTemplateError($template->error()); - -@@ -177,6 +181,7 @@ - action => "add", - object => "users"}); - -+ check_token_data($token, 'add_user'); - my $login = $cgi->param('login'); - my $password = $cgi->param('password'); - my $realname = trim($cgi->param('name') || ''); -@@ -212,6 +217,10 @@ - $dbh->bz_unlock_tables(); - userDataToVars($new_user_id); - -+ delete_token($token); -+ -+ # We already display the updated page. We have to recreate a token now. -+ $vars->{'token'} = issue_session_token('edit_user'); - $vars->{'message'} = 'account_created'; - $template->process('admin/users/edit.html.tmpl', $vars) - || ThrowTemplateError($template->error()); -@@ -223,6 +232,7 @@ - - ########################################################################### - } elsif ($action eq 'update') { -+ check_token_data($token, 'edit_user'); - my $otherUser = check_user($otherUserID, $otherUserLogin); - $otherUserID = $otherUser->id; - -@@ -403,6 +413,7 @@ - - # XXX: userDataToVars may be off when editing ourselves. - userDataToVars($otherUserID); -+ delete_token($token); - - $vars->{'message'} = 'account_updated'; - $vars->{'loginold'} = $loginold; -@@ -411,6 +422,9 @@ - $vars->{'groups_removed_from'} = \@groupsRemovedFrom; - $vars->{'groups_granted_rights_to_bless'} = \@groupsGrantedRightsToBless; - $vars->{'groups_denied_rights_to_bless'} = \@groupsDeniedRightsToBless; -+ # We already display the updated page. We have to recreate a token now. -+ $vars->{'token'} = issue_session_token('edit_user'); -+ - $template->process('admin/users/edit.html.tmpl', $vars) - || ThrowTemplateError($template->error()); - -@@ -484,12 +498,14 @@ - AND mailto_type = ? - }, - undef, ($otherUserID, MAILTO_USER)); -+ $vars->{'token'} = issue_session_token('delete_user'); - - $template->process('admin/users/confirm-delete.html.tmpl', $vars) - || ThrowTemplateError($template->error()); - - ########################################################################### - } elsif ($action eq 'delete') { -+ check_token_data($token, 'delete_user'); - my $otherUser = check_user($otherUserID, $otherUserLogin); - $otherUserID = $otherUser->id; - -@@ -703,6 +719,7 @@ - $dbh->do('DELETE FROM profiles WHERE userid = ?', undef, $otherUserID); - - $dbh->bz_unlock_tables(); -+ delete_token($token); - - $vars->{'message'} = 'account_deleted'; - $vars->{'otheruser'}{'login'} = $otherUser->login; -@@ -826,6 +843,7 @@ - object => "user"}); - - userDataToVars($otherUser->id); -+ $vars->{'token'} = issue_session_token('edit_user'); - - $template->process('admin/users/edit.html.tmpl', $vars) - || ThrowTemplateError($template->error()); -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editvalues.cgi bugzilla-2.22.1/editvalues.cgi ---- bugzilla-2.22/editvalues.cgi 2005-10-23 17:44:10.000000000 -0700 -+++ bugzilla-2.22.1/editvalues.cgi 2006-10-14 15:05:55.000000000 -0700 -@@ -27,6 +27,7 @@ - use Bugzilla::Error; - use Bugzilla::Constants; - use Bugzilla::Config qw(:DEFAULT :admin :locations); -+use Bugzilla::Token; - - # List of different tables that contain the changeable field values - # (the old "enums.") Keep them in alphabetical order by their -@@ -107,7 +108,7 @@ - exists Bugzilla->user->groups->{'editcomponents'} || - ThrowUserError('auth_failure', {group => "editcomponents", - action => "edit", -- object => "field values"}); -+ object => "field_values"}); - - # - # often-used variables -@@ -116,6 +117,7 @@ - my $value = trim($cgi->param('value') || ''); - my $sortkey = trim($cgi->param('sortkey') || '0'); - my $action = trim($cgi->param('action') || ''); -+my $token = $cgi->param('token'); - - # Gives the name of the parameter associated with the field - # and representing its default value. -@@ -175,6 +177,8 @@ - - $vars->{'value'} = $value; - $vars->{'field'} = $field; -+ $vars->{'token'} = issue_session_token('add_field_value'); -+ - $template->process("admin/fieldvalues/create.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); -@@ -187,6 +191,7 @@ - # action='new' -> add field value entered in the 'action=add' screen - # - if ($action eq 'new') { -+ check_token_data($token, 'add_field_value'); - FieldMustExist($field); - trick_taint($field); - -@@ -218,6 +223,7 @@ - $sth->execute($value, $sortkey); - - unlink "$datadir/versioncache"; -+ delete_token($token); - - $vars->{'value'} = $value; - $vars->{'field'} = $field; -@@ -248,6 +254,8 @@ - $vars->{'value'} = $value; - $vars->{'field'} = $field; - $vars->{'param_name'} = $defaults{$field}; -+ $vars->{'token'} = issue_session_token('delete_field_value'); -+ - $template->process("admin/fieldvalues/confirm-delete.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); -@@ -260,6 +268,7 @@ - # action='delete' -> really delete the field value - # - if ($action eq 'delete') { -+ check_token_data($token, 'delete_field_value'); - ValueMustExist($field, $value); - if ($value eq Param($defaults{$field})) { - ThrowUserError('fieldvalue_is_default', {field => $field, -@@ -288,6 +297,7 @@ - $dbh->bz_unlock_tables(); - - unlink "$datadir/versioncache"; -+ delete_token($token); - - $vars->{'value'} = $value; - $vars->{'field'} = $field; -@@ -312,6 +322,7 @@ - - $vars->{'value'} = $value; - $vars->{'field'} = $field; -+ $vars->{'token'} = issue_session_token('edit_field_value'); - - $template->process("admin/fieldvalues/edit.html.tmpl", - $vars) -@@ -325,6 +336,7 @@ - # action='update' -> update the field value - # - if ($action eq 'update') { -+ check_token_data($token, 'edit_field_value'); - my $valueold = trim($cgi->param('valueold') || ''); - my $sortkeyold = trim($cgi->param('sortkeyold') || '0'); - -@@ -396,6 +408,7 @@ - unlink "$datadir/versioncache"; - $vars->{'default_value_updated'} = 1; - } -+ delete_token($token); - - $vars->{'value'} = $value; - $vars->{'field'} = $field; -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editversions.cgi bugzilla-2.22.1/editversions.cgi ---- bugzilla-2.22/editversions.cgi 2005-12-29 14:55:59.000000000 -0800 -+++ bugzilla-2.22.1/editversions.cgi 2006-10-14 15:05:55.000000000 -0700 -@@ -21,7 +21,7 @@ - # Contributor(s): Holger Schurig - # Terry Weissman - # Gavin Shelley --# Frdric Buclin -+# Frédéric Buclin - # - # - # Direct any questions on this source code to -@@ -37,6 +37,7 @@ - use Bugzilla::Config qw(:DEFAULT $datadir); - use Bugzilla::Product; - use Bugzilla::Version; -+use Bugzilla::Token; - - my $cgi = Bugzilla->cgi; - my $dbh = Bugzilla->dbh; -@@ -63,6 +64,7 @@ - my $version_name = trim($cgi->param('version') || ''); - my $action = trim($cgi->param('action') || ''); - my $showbugcounts = (defined $cgi->param('showbugcounts')); -+my $token = $cgi->param('token'); - - # - # product = '' -> Show nice list of products -@@ -110,7 +112,7 @@ - # - - if ($action eq 'add') { -- -+ $vars->{'token'} = issue_session_token('add_version'); - $vars->{'product'} = $product->name; - $template->process("admin/versions/create.html.tmpl", - $vars) -@@ -126,8 +128,8 @@ - # - - if ($action eq 'new') { -- -- # Cleanups and valididy checks -+ check_token_data($token, 'add_version'); -+ # Cleanups and validity checks - $version_name || ThrowUserError('version_blank_name'); - - # Remove unprintable characters -@@ -147,6 +149,7 @@ - - # Make versioncache flush - unlink "$datadir/versioncache"; -+ delete_token($token); - - $vars->{'name'} = $version_name; - $vars->{'product'} = $product->name; -@@ -175,6 +178,8 @@ - $vars->{'bug_count'} = $bugs; - $vars->{'name'} = $version->name; - $vars->{'product'} = $product->name; -+ $vars->{'token'} = issue_session_token('delete_version'); -+ - $template->process("admin/versions/confirm-delete.html.tmpl", - $vars) - || ThrowTemplateError($template->error()); -@@ -189,7 +194,7 @@ - # - - if ($action eq 'delete') { -- -+ check_token_data($token, 'delete_version'); - my $version = Bugzilla::Version::check_version($product, - $version_name); - -@@ -204,6 +209,7 @@ - undef, ($product->id, $version->name)); - - unlink "$datadir/versioncache"; -+ delete_token($token); - - $vars->{'name'} = $version->name; - $vars->{'product'} = $product->name; -@@ -228,6 +234,7 @@ - - $vars->{'name'} = $version->name; - $vars->{'product'} = $product->name; -+ $vars->{'token'} = issue_session_token('edit_version'); - - $template->process("admin/versions/edit.html.tmpl", - $vars) -@@ -243,7 +250,7 @@ - # - - if ($action eq 'update') { -- -+ check_token_data($token, 'edit_version'); - $version_name || ThrowUserError('version_not_specified'); - - # Remove unprintable characters -@@ -288,7 +295,8 @@ - $vars->{'updated_name'} = 1; - } - -- $dbh->bz_unlock_tables(); -+ $dbh->bz_unlock_tables(); -+ delete_token($token); - - $vars->{'name'} = $version_name; - $vars->{'product'} = $product->name; -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/editwhines.cgi bugzilla-2.22.1/editwhines.cgi ---- bugzilla-2.22/editwhines.cgi 2006-02-02 11:04:03.000000000 -0800 -+++ bugzilla-2.22.1/editwhines.cgi 2006-10-14 15:05:55.000000000 -0700 -@@ -33,6 +33,8 @@ - use Bugzilla::Constants; - use Bugzilla::User; - use Bugzilla::Group; -+use Bugzilla::Token; -+ - # require the user to have logged in - my $user = Bugzilla->login(LOGIN_REQUIRED); - -@@ -46,7 +48,7 @@ - my $dbh = Bugzilla->dbh; - - my $userid = $user->id; -- -+my $token = $cgi->param('token'); - my $sth; # database statement handle - - # $events is a hash ref, keyed by event id, that stores the active user's -@@ -83,6 +85,7 @@ - # removed, then what was altered. - - if ($cgi->param('update')) { -+ check_token_data($token, 'edit_whine'); - if ($cgi->param("add_event")) { - # we create a new event - $sth = $dbh->prepare("INSERT INTO whine_events " . -@@ -346,6 +349,7 @@ - } - } - } -+ delete_token($token); - } - - $vars->{'mail_others'} = $can_mail_others; -@@ -433,6 +437,7 @@ - while (my ($query) = $sth->fetchrow_array) { - push @{$vars->{'available_queries'}}, $query; - } -+$vars->{'token'} = issue_session_token('edit_whine'); - - $template->process("whine/schedule.html.tmpl", $vars) - || ThrowTemplateError($template->error()); -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/enter_bug.cgi bugzilla-2.22.1/enter_bug.cgi ---- bugzilla-2.22/enter_bug.cgi 2006-01-05 06:54:52.000000000 -0800 -+++ bugzilla-2.22.1/enter_bug.cgi 2006-08-21 12:26:06.000000000 -0700 -@@ -198,10 +198,11 @@ - /\(.*PPC.*\)/ && do {@platform = "Macintosh"; last;}; - /\(.*AIX.*\)/ && do {@platform = "Macintosh"; last;}; - #Intel x86 -+ /\(.*Intel.*\)/ && do {@platform = "PC"; last;}; - /\(.*[ix0-9]86.*\)/ && do {@platform = "PC"; last;}; - #Versions of Windows that only run on Intel x86 -- /\(.*Win(?:dows )[39M].*\)/ && do {@platform = "PC"; last}; -- /\(.*Win(?:dows )16.*\)/ && do {@platform = "PC"; last;}; -+ /\(.*Win(?:dows |)[39M].*\)/ && do {@platform = "PC"; last}; -+ /\(.*Win(?:dows |)16.*\)/ && do {@platform = "PC"; last;}; - #Sparc - /\(.*sparc.*\)/ && do {@platform = "Sun"; last;}; - /\(.*sun4.*\)/ && do {@platform = "Sun"; last;}; -@@ -274,11 +275,11 @@ - /\(.*Windows 2000.*\)/ && do {@os = "Windows 2000"; last;}; - /\(.*Windows NT 5.*\)/ && do {@os = "Windows 2000"; last;}; - /\(.*Win.*9[8x].*4\.9.*\)/ && do {@os = "Windows ME"; last;}; -- /\(.*Win(?:dows )M[Ee].*\)/ && do {@os = "Windows ME"; last;}; -- /\(.*Win(?:dows )98.*\)/ && do {@os = "Windows 98"; last;}; -- /\(.*Win(?:dows )95.*\)/ && do {@os = "Windows 95"; last;}; -- /\(.*Win(?:dows )16.*\)/ && do {@os = "Windows 3.1"; last;}; -- /\(.*Win(?:dows[ -])NT.*\)/ && do {@os = "Windows NT"; last;}; -+ /\(.*Win(?:dows |)M[Ee].*\)/ && do {@os = "Windows ME"; last;}; -+ /\(.*Win(?:dows |)98.*\)/ && do {@os = "Windows 98"; last;}; -+ /\(.*Win(?:dows |)95.*\)/ && do {@os = "Windows 95"; last;}; -+ /\(.*Win(?:dows |)16.*\)/ && do {@os = "Windows 3.1"; last;}; -+ /\(.*Win(?:dows[ -]|)NT.*\)/ && do {@os = "Windows NT"; last;}; - /\(.*Windows.*NT.*\)/ && do {@os = "Windows NT"; last;}; - /\(.*32bit.*\)/ && do {@os = "Windows 95"; last;}; - /\(.*16bit.*\)/ && do {@os = "Windows 3.1"; last;}; -diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/globals.pl bugzilla-2.22.1/globals.pl ---- bugzilla-2.22/globals.pl 2006-01-09 10:59:53.000000000 -0800 -+++ bugzilla-2.22.1/globals.pl 2006-10-14 13:30:53.000000000 -0700 -@@ -401,6 +401,8 @@ - } elsif ((defined $matchpassword) && ($password ne $matchpassword)) { - ThrowUserError("passwords_dont_match"); - } -+ # Having done these checks makes us consider the password untainted. -+ trick_taint($_[0]); - } - - sub DBID_to_name { -@@ -493,7 +495,7 @@ - # bug refs out, so we have to do replacements. - # mailto can't contain space or #, so we don't have to bother for that - # Do this by escaping \0 to \1\0, and replacing matches with \0\0$count\0\0 -- # \0 is used because its unliklely to occur in the text, so the cost of -+ # \0 is used because its unlikely to occur in the text, so the cost of - # doing this should be very small - # Also, \0 won't appear in the value_quote'd bug title, so we don't have - # to worry about bogus substitutions from there -@@ -506,7 +508,7 @@ - # In particular, attachment matches go before bug titles, so that titles - # with 'attachment 1' don't double match. - # Dupe checks go afterwards, because that uses ^ and \Z, which won't occur -- # if it was subsituted as a bug title (since that always involve leading -+ # if it was substituted as a bug title (since that always involve leading - # and trailing text) - - # Because of entities, its easier (and quicker) to do this before escaping -@@ -516,7 +518,8 @@ - my $tmp; - - # non-mailto protocols -- my $protocol_re = qr/(afs|cid|ftp|gopher|http|https|irc|mid|news|nntp|prospero|telnet|view-source|wais)/i; -+ my $safe_protocols = join('|', SAFE_PROTOCOLS); -+ my $protocol_re = qr/($safe_protocols)/i; - - $text =~ s~\b(${protocol_re}: # The protocol: - [^\s<>\"]+ # Any non-whitespace -@@ -623,12 +626,12 @@ - my ($title, $className) = @{$::attachlink{$attachid}}; - # $title will be undefined if the attachment didn't exist in the database. - if (defined $title) { -- $link_text =~ s/ \[edit\]$//; -+ $link_text =~ s/ \[details\]$//; - my $linkval = "attachment.cgi?id=$attachid&action="; - # Whitespace matters here because these links are in 
     tags.
-         return qq||
-                . qq|$link_text|
--               . qq| [edit]|
-+               . qq| [details]|
-                . qq||;
-     }
-     else {
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/importxml.pl bugzilla-2.22.1/importxml.pl
---- bugzilla-2.22/importxml.pl	2006-04-19 15:27:08.000000000 -0700
-+++ bugzilla-2.22.1/importxml.pl	2006-07-13 12:06:15.000000000 -0700
-@@ -100,11 +100,13 @@
- 
- my $debug = 0;
- my $mail  = '';
-+my $attach_path = '';
- my $help  = 0;
- 
- my $result = GetOptions(
-     "verbose|debug+" => \$debug,
-     "mail|sendmail!" => \$mail,
-+    "attach_path=s"  => \$attach_path,
-     "help|?"         => \$help
- );
- 
-@@ -377,7 +379,7 @@
- # This subroutine is called once for each attachment in the xml file.
- # It is called as soon as the closing  tag is parsed.
- # Since attachments have the potential to be very large, and
--# since each attachement will be inside .. tags we shove
-+# since each attachment will be inside .. tags we shove
- # the attachment onto an array which will be processed by process_bug
- # and then disposed of. The attachment array will then contain only
- # one bugs' attachments at a time.
-@@ -401,14 +403,24 @@
-     $attachment{'isprivate'}  = $attach->{'att'}->{'isprivate'} || 0;
-     $attachment{'filename'}   = $attach->field('filename') || "file";
-     # Attachment data is not exported in versions 2.20 and older.
--    if (defined $attach->first_child('data')
--        && defined $attach->first_child('data')->{'att'}->{'encoding'}
--        && $attach->first_child('data')->{'att'}->{'encoding'} =~ /base64/ )
--    {
--        # decode the base64
--        my $data   = $attach->field('data');
--        my $output = decode_base64($data);
--        $attachment{'data'} = $output;
-+    if (defined $attach->first_child('data') &&
-+            defined $attach->first_child('data')->{'att'}->{'encoding'}) {
-+        my $encoding = $attach->first_child('data')->{'att'}->{'encoding'};
-+        if ($encoding =~ /base64/) {
-+            # decode the base64
-+            my $data   = $attach->field('data');
-+            my $output = decode_base64($data);
-+            $attachment{'data'} = $output;
-+        }
-+        elsif ($encoding =~ /filename/) {
-+            # read the attachment file
-+            Error("attach_path is required", undef) unless ($attach_path);
-+            my $attach_filename = $attach_path . "/" . $attach->field('data');
-+            open(ATTACH_FH, $attach_filename) or
-+                Error("cannot open $attach_filename", undef);
-+            $attachment{'data'} = do { local $/;  };
-+            close ATTACH_FH;
-+        }
-     }
-     else {
-         $attachment{'data'} = $attach->field('data');
-@@ -534,8 +546,8 @@
-             $data = decode_base64($data);
-         }
- 
--        # If we leave the attachemnt ID in the comment it will be made a link
--        # to the wrong attachment. Since the new attachment ID is unkown yet
-+        # If we leave the attachment ID in the comment it will be made a link
-+        # to the wrong attachment. Since the new attachment ID is unknown yet
-         # let's strip it out for now. We will make a comment with the right ID
-         # later
-         $data =~ s/Created an attachment \(id=\d+\)/Created an attachment/g;
-@@ -1248,6 +1260,8 @@
-        -v --verbose     print error and debug information. 
-                         Mulltiple -v increases verbosity
-        -m --sendmail    send mail to recipients with log of bugs imported
-+       --attach_path    The path to the attachment files.
-+                        (Required if encoding="filename" is used for attachments.)
- 
- =head1 OPTIONS
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/post_bug.cgi bugzilla-2.22.1/post_bug.cgi
---- bugzilla-2.22/post_bug.cgi	2006-01-08 11:56:03.000000000 -0800
-+++ bugzilla-2.22.1/post_bug.cgi	2006-07-04 02:51:56.000000000 -0700
-@@ -171,19 +171,19 @@
-     }
- }
- 
--if (UserInGroup("editbugs") || UserInGroup("canconfirm")) {
--    # Default to NEW if the user hasn't selected another status
--    if (!defined $cgi->param('bug_status')) {
--        $cgi->param(-name => 'bug_status', -value => "NEW");
-+my $votes_to_confirm = $dbh->selectrow_array('SELECT votestoconfirm
-+                                              FROM products WHERE id = ?',
-+                                              undef, $product_id);
-+my $bug_status = 'UNCONFIRMED';
-+if ($votes_to_confirm) {
-+    # Default to NEW if the user with privs hasn't selected another status.
-+    if (UserInGroup('editbugs') || UserInGroup('canconfirm')) {
-+        $bug_status = scalar($cgi->param('bug_status')) || 'NEW';
-     }
- } else {
--    # Default to UNCONFIRMED if we are using it, NEW otherwise
--    $cgi->param(-name => 'bug_status', -value => 'UNCONFIRMED');
--    SendSQL("SELECT votestoconfirm FROM products WHERE id = $product_id");
--    if (!FetchOneColumn()) {   
--        $cgi->param(-name => 'bug_status', -value => "NEW");
--    }
-+    $bug_status = 'NEW';
- }
-+$cgi->param(-name => 'bug_status', -value => $bug_status);
- 
- if (!defined $cgi->param('target_milestone')) {
-     SendSQL("SELECT defaultmilestone FROM products WHERE name=$sql_product");
-@@ -289,7 +289,7 @@
-         foreach my $id (split(/[\s,]+/, $cgi->param($field))) {
-             next unless $id;
-             # $field is not passed to ValidateBugID to prevent adding new 
--            # dependencies on inacessible bugs.
-+            # dependencies on inaccessible bugs.
-             ValidateBugID($id);
-             push(@validvalues, $id);
-         }
-@@ -438,7 +438,7 @@
-     if (@keywordlist) {
-         # Make sure that we have the correct case for the kw
-         SendSQL("SELECT name FROM keyworddefs WHERE id IN ( " .
--                join(',', @keywordlist) . ")");
-+                join(',', @keywordlist) . ") ORDER BY name");
-         my @list;
-         while (MoreSQLData()) {
-             push (@list, FetchOneColumn());
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/process_bug.cgi bugzilla-2.22.1/process_bug.cgi
---- bugzilla-2.22/process_bug.cgi	2006-02-07 14:25:23.000000000 -0800
-+++ bugzilla-2.22.1/process_bug.cgi	2006-06-19 09:41:03.000000000 -0700
-@@ -225,7 +225,7 @@
-     }
- }
- 
--# Set up the vars for nagiavtional  elements
-+# Set up the vars for navigational  elements
- my @bug_list;
- if ($cgi->cookie("BUGLIST") && defined $cgi->param('id')) {
-     @bug_list = split(/:/, $cgi->cookie("BUGLIST"));
-@@ -1789,8 +1789,7 @@
-                     shift @oldlist;
-                 } else {
-                     if ($oldlist[0] != $newlist[0]) {
--                        $dbh->bz_unlock_tables(UNLOCK_ABORT);
--                        die "Error in list comparing code";
-+                        ThrowCodeError('list_comparison_error');
-                     }
-                     shift @oldlist;
-                     shift @newlist;
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/relogin.cgi bugzilla-2.22.1/relogin.cgi
---- bugzilla-2.22/relogin.cgi	2006-04-06 15:21:00.000000000 -0700
-+++ bugzilla-2.22.1/relogin.cgi	2006-10-14 15:05:55.000000000 -0700
-@@ -62,7 +62,7 @@
-     }
- 
-     # Keep a temporary record of the user visiting this page
--    $vars->{'token'} = Bugzilla::Token::IssueSessionToken('sudo_prepared');
-+    $vars->{'token'} = issue_session_token('sudo_prepared');
- 
-     # Show the sudo page
-     $vars->{'target_login_default'} = $cgi->param('target_login');
-@@ -124,7 +124,7 @@
-                        { target_login => scalar $cgi->param('target_login'),
-                                reason => scalar $cgi->param('reason')});
-     }
--    Bugzilla::Token::DeleteToken($cgi->param('token'));
-+    delete_token($cgi->param('token'));
- 
-     # Get & verify the target user (the user who we will be impersonating)
-     my $target_user = 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/reports.cgi bugzilla-2.22.1/reports.cgi
---- bugzilla-2.22/reports.cgi	2005-10-24 16:11:55.000000000 -0700
-+++ bugzilla-2.22.1/reports.cgi	2006-06-03 12:53:59.000000000 -0700
-@@ -233,7 +233,8 @@
-     # and number
- 
-     if ($datasets !~ m/^[A-Za-z0-9:]+$/) {
--        die "Invalid datasets $datasets";
-+        $vars->{'datasets'} = $datasets;
-+        ThrowUserError('invalid_datasets', $vars);
-     }
- 
-     # Since we pass the tests, consider it OK
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/request.cgi bugzilla-2.22.1/request.cgi
---- bugzilla-2.22/request.cgi	2006-03-08 13:40:34.000000000 -0800
-+++ bugzilla-2.22.1/request.cgi	2006-10-14 14:07:19.000000000 -0700
-@@ -73,11 +73,6 @@
-     my $status = validateStatus($cgi->param('status'));
-     my $form_group = validateGroup($cgi->param('group'));
- 
--    my $attach_join_clause = "flags.attach_id = attachments.attach_id";
--    if (Param("insidergroup") && !UserInGroup(Param("insidergroup"))) {
--        $attach_join_clause .= " AND attachments.isprivate < 1";
--    }
--
-     my $query = 
-     # Select columns describing each flag, the bug/attachment on which
-     # it has been set, who set it, and of whom they are requesting it.
-@@ -98,7 +93,7 @@
-     "
-       FROM           flags 
-            LEFT JOIN attachments
--                  ON ($attach_join_clause)
-+                  ON flags.attach_id = attachments.attach_id
-           INNER JOIN flagtypes
-                   ON flags.type_id = flagtypes.id
-           INNER JOIN profiles AS requesters
-@@ -127,7 +122,13 @@
-                  (bugs.assigned_to = $userid) " .
-                  (Param('useqacontact') ? "OR
-                  (bugs.qa_contact = $userid))" : ")");
--    
-+
-+    unless ($user->is_insider) {
-+        $query .= " AND (attachments.attach_id IS NULL
-+                         OR attachments.isprivate = 0
-+                         OR attachments.submitter_id = $userid)";
-+    }
-+
-     # Non-deleted flags only
-     $query .= " AND flags.is_active = 1 ";
-     
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/sanitycheck.cgi bugzilla-2.22.1/sanitycheck.cgi
---- bugzilla-2.22/sanitycheck.cgi	2006-01-16 02:29:18.000000000 -0800
-+++ bugzilla-2.22.1/sanitycheck.cgi	2006-06-07 14:39:12.000000000 -0700
-@@ -249,7 +249,7 @@
- # Remove all references to deleted bugs
- ###########################################################################
- 
--if (defined $cgi->param('remove_invalid_references')) {
-+if (defined $cgi->param('remove_invalid_bug_references')) {
-     Status("OK, now removing all references to deleted bugs.");
- 
-     $dbh->bz_lock_tables('attachments WRITE', 'bug_group_map WRITE',
-@@ -280,6 +280,30 @@
-     Status("All references to deleted bugs have been removed.");
- }
- 
-+###########################################################################
-+# Remove all references to deleted attachments
-+###########################################################################
-+
-+if (defined $cgi->param('remove_invalid_attach_references')) {
-+    Status("OK, now removing all references to deleted attachments.");
-+
-+    $dbh->bz_lock_tables('attachments WRITE', 'attach_data WRITE');
-+
-+    my $attach_ids =
-+        $dbh->selectcol_arrayref('SELECT attach_data.id
-+                                    FROM attach_data
-+                               LEFT JOIN attachments
-+                                      ON attachments.attach_id = attach_data.id
-+                                   WHERE attachments.attach_id IS NULL');
-+
-+    if (scalar(@$attach_ids)) {
-+        $dbh->do('DELETE FROM attach_data WHERE id IN (' .
-+                 join(',', @$attach_ids) . ')');
-+    }
-+
-+    $dbh->bz_unlock_tables();
-+    Status("All references to deleted attachments have been removed.");
-+}
- 
- print "OK, now running sanity checks.
    \n";
- 
-@@ -345,7 +369,13 @@
-         }
-         # References to non existent bugs can be safely removed, bug 288461
-         if ($table eq 'bugs' && $has_bad_references) {
--            print qq{Remove invalid references to non existent bugs.
    \n};
-+            print qq{
-+                     Remove invalid references to non existent bugs.
    \n};
-+        }
-+        # References to non existent attachments can be safely removed.
-+        if ($table eq 'attachments' && $has_bad_references) {
-+            print qq{
-+                     Remove invalid references to non existent attachments.
    \n};
-         }
-     }
- }
-@@ -450,6 +480,9 @@
-            ['whine_queries', 'eventid'],
-            ['whine_schedules', 'eventid']);
- 
-+CrossCheck('attachments', 'attach_id',
-+           ['attach_data', 'id']);
-+
- ###########################################################################
- # Perform double field referential (cross) checks
- ###########################################################################
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/show_bug.cgi bugzilla-2.22.1/show_bug.cgi
---- bugzilla-2.22/show_bug.cgi	2005-10-30 13:31:28.000000000 -0800
-+++ bugzilla-2.22.1/show_bug.cgi	2006-10-14 14:45:51.000000000 -0700
-@@ -117,7 +117,7 @@
- }
- 
- unless (UserInGroup(Param("timetrackinggroup"))) {
--    @fieldlist = grep($_ !~ /_time$/, @fieldlist);
-+    @fieldlist = grep($_ !~ /(^deadline|_time)$/, @fieldlist);
- }
- 
- foreach (@fieldlist) {
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/showdependencygraph.cgi bugzilla-2.22.1/showdependencygraph.cgi
---- bugzilla-2.22/showdependencygraph.cgi	2006-02-07 01:22:25.000000000 -0800
-+++ bugzilla-2.22.1/showdependencygraph.cgi	2006-10-14 14:28:41.000000000 -0700
-@@ -278,7 +278,9 @@
-     }
- }
- 
--$vars->{'bug_id'} = $cgi->param('id');
-+# Make sure we only include valid integers (protects us from XSS attacks).
-+my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id')));
-+$vars->{'bug_id'} = join(', ', @bugs);
- $vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/);
- $vars->{'doall'} = $cgi->param('doall');
- $vars->{'rankdir'} = $rankdir;
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/showdependencytree.cgi bugzilla-2.22.1/showdependencytree.cgi
---- bugzilla-2.22/showdependencytree.cgi	2006-01-06 06:38:35.000000000 -0800
-+++ bugzilla-2.22.1/showdependencytree.cgi	2006-10-11 15:40:31.000000000 -0700
-@@ -45,7 +45,7 @@
- 
- # Make sure the bug ID is a positive integer representing an existing
- # bug that the user is authorized to access.
--my $id = $cgi->param('id');
-+my $id = $cgi->param('id') || ThrowUserError('invalid_bug_id_or_alias');
- ValidateBugID($id);
- 
- my $hide_resolved = $cgi->param('hide_resolved') ? 1 : 0;
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/skins/standard/editusers.css bugzilla-2.22.1/skins/standard/editusers.css
---- bugzilla-2.22/skins/standard/editusers.css	2005-02-28 12:41:43.000000000 -0800
-+++ bugzilla-2.22.1/skins/standard/editusers.css	2006-10-14 13:30:54.000000000 -0700
-@@ -50,3 +50,8 @@
-     text-align: center;
-     white-space: nowrap;
- }
-+
-+.missing {
-+    color: red;
-+    border-color: inherit;
-+}
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/skins/standard/global.css bugzilla-2.22.1/skins/standard/global.css
---- bugzilla-2.22/skins/standard/global.css	2006-02-21 08:15:16.000000000 -0800
-+++ bugzilla-2.22.1/skins/standard/global.css	2006-10-14 15:05:55.000000000 -0700
-@@ -99,8 +99,6 @@
-         font-family: serif;
-         font-weight: bold;
-         font-size: 110%;
--
--        white-space: nowrap;
-         padding: 0.2em 1em 0.1em 0.2em;
-     }
- 
-@@ -162,10 +160,10 @@
- 
-     #message
-     {
--    	border: 1px solid red;
-+        border: 1px solid red;
- 
--    	padding: 0.3em;
--    	color: green;
-+        padding: 0.3em;
-+        color: green;
-     }
- /* header (end)   */
- 
-@@ -337,3 +335,11 @@
- }
- 
- table#flags th, table#flags td { vertical-align: baseline; text-align: left; }
-+
-+.throw_error {
-+    background-color: #ff0000;
-+    color: black;
-+    font-size: 120%;
-+    margin: 1em;
-+    padding: 0.5em 1em;
-+}
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/t/008filter.t bugzilla-2.22.1/t/008filter.t
---- bugzilla-2.22/t/008filter.t	2006-03-06 14:23:35.000000000 -0800
-+++ bugzilla-2.22.1/t/008filter.t	2006-10-14 13:30:54.000000000 -0700
-@@ -223,7 +223,7 @@
-     # Note: If a single directive prints two things, and only one is 
-     # filtered, we may not catch that case.
-     return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote|
--                                        ics|quoteUrls|time|uri|xml|lower|
-+                                        ics|quoteUrls|time|uri|xml|lower|html_light|
-                                         obsolete|inactive|closed|unitconvert|
-                                         none)\b/x;
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/t/012throwables.t bugzilla-2.22.1/t/012throwables.t
---- bugzilla-2.22/t/012throwables.t	2006-04-17 13:48:15.000000000 -0700
-+++ bugzilla-2.22.1/t/012throwables.t	2006-05-14 11:51:26.000000000 -0700
-@@ -88,7 +88,7 @@
-             my $errtag = $1;
-             if ($errtag =~ /\s/) {
-                 Register(\%test_templates, $file, 
--                "has an error definition \"$errtag\" at line $lineno with"
-+                "has an error definition \"$errtag\" at line $lineno with "
-                 . "space(s) embedded --ERROR");
-             }
-             else {
-@@ -164,14 +164,26 @@
- }
- 
- sub Register {
--    my ($hash, $file, $message) = @_;
--    push @{$hash->{$file}}, $message;
-+    my ($hash, $file, $message, $warning) = @_;
-+    # If set to 1, $warning will avoid the test to fail.
-+    $warning ||= 0;
-+    push(@{$hash->{$file}}, {'message' => $message, 'warning' => $warning});
- }
- 
- sub Report {
-     my ($file, @errors) = @_;
-     if (scalar @errors) {
--        ok(0, "$file has ". scalar @errors ." error(s):\n" . join("\n", @errors));
-+        # Do we only have warnings to report or also real errors?
-+        my @real_errors = grep {$_->{'warning'} == 0} @errors;
-+        # Extract error messages.
-+        @errors = map {$_->{'message'}} @errors;
-+        if (scalar(@real_errors)) {
-+            ok(0, "$file has ". scalar(@errors) ." error(s):\n" . join("\n", @errors));
-+        }
-+        else {
-+            ok(1, "--WARNING $file has " . scalar(@errors) .
-+                  " unused error tag(s):\n" . join("\n", @errors));
-+        }
-     }
-     else {
-         # This is used for both code and template files, so let's use
-@@ -196,7 +208,7 @@
-         Register(\%test_templates, $file, 
-             "$errtype error tag '$errtag' is defined at line(s) ("
-             . join (',', @{$Errors{$errtype}{$errtag}{defined_in}{$lang}{$file}}) 
--            . ") but is not used anywhere");
-+            . ") but is not used anywhere", 1);
-     }
- }
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/t/Support/Templates.pm bugzilla-2.22.1/t/Support/Templates.pm
---- bugzilla-2.22/t/Support/Templates.pm	2005-08-05 16:47:28.000000000 -0700
-+++ bugzilla-2.22.1/t/Support/Templates.pm	2006-07-04 15:27:42.000000000 -0700
-@@ -98,6 +98,10 @@
-         my $local_dir = File::Spec->abs2rel($File::Find::dir,
-                                             $File::Find::topdir);
- 
-+        # File::Spec 3.13 and newer return "." instead of "" if both
-+        # arguments of abs2rel() are identical.
-+        $local_dir = "" if ($local_dir eq ".");
-+
-         if ($local_dir) {
-             $filename = File::Spec->catfile($local_dir, $_);
-         } else {
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/auth/login-small.html.tmpl bugzilla-2.22.1/template/en/default/account/auth/login-small.html.tmpl
---- bugzilla-2.22/template/en/default/account/auth/login-small.html.tmpl	2006-02-20 16:19:25.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/account/auth/login-small.html.tmpl	2006-06-19 11:31:17.000000000 -0700
-@@ -21,7 +21,7 @@
- 
- [% PROCESS global/variables.none.tmpl %]
- 
--[%# Use the current script name. If an empty name is retuned,
-+[%# Use the current script name. If an empty name is returned,
-   # then we are accessing the home page. %]
- 
- [% script_name = cgi.url(Relative => 1) %]
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/email.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/email.html.tmpl
---- bugzilla-2.22/template/en/default/account/prefs/email.html.tmpl	2005-10-31 15:09:28.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/account/prefs/email.html.tmpl	2006-07-13 11:52:14.000000000 -0700
-@@ -275,7 +275,7 @@
-       [% watcher FILTER html %] 
    
-     [% END %]
-   [% ELSE %]
--    None
-+    No one
-   [% END %]
- 
    
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/footer.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/footer.html.tmpl
---- bugzilla-2.22/template/en/default/account/prefs/footer.html.tmpl	2004-03-18 13:51:16.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/account/prefs/footer.html.tmpl	1969-12-31 16:00:00.000000000 -0800
-@@ -1,78 +0,0 @@
--[%# 1.0@bugzilla.org %]
--[%# The contents of this file are subject to the Mozilla Public
--  # License Version 1.1 (the "License"); you may not use this file
--  # except in compliance with the License. You may obtain a copy of
--  # the License at http://www.mozilla.org/MPL/
--  #
--  # Software distributed under the License is distributed on an "AS
--  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
--  # implied. See the License for the specific language governing
--  # rights and limitations under the License.
--  #
--  # The Original Code is the Bugzilla Bug Tracking System.
--  #
--  # The Initial Developer of the Original Code is Netscape Communications
--  # Corporation. Portions created by Netscape are
--  # Copyright (C) 1998 Netscape Communications Corporation. All
--  # Rights Reserved.
--  #
--  # Contributor(s): Gervase Markham 
--  #%]
--
--[%# INTERFACE:
--  # mybugslink: boolean. True if the user wishes the My Bugs link to appear.
--  # queries: array of hashes. May be empty. Each hash has two members:
--  #   name:   string. The name of the search.
--  #   footer: boolean. True if the search appears in the footer.
--  #%]
--
--[% PROCESS global/variables.none.tmpl %]
--
--
--  
--    
--    
--  
--
--  
--  [% IF queries.size %]
--    [% FOREACH query = queries %]
--      
--        
--        
--      
--
--      
--    [% END %]
--
--  [% ELSE %]
--    
--      
--    
--  [% END %]
--
--
    The 'My [% terms.bugs %]' link:
--      
--    
    Your search named '[% query.name FILTER html %]':
--          
--        
    
--        
    
--        If you create remembered queries using the
--        search page,
--        you can then come to this page and choose to have some of them
--        appear in the footer of each [% terms.Bugzilla %] page.
--        
    
--        
    
--      
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/permissions.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/permissions.html.tmpl
---- bugzilla-2.22/template/en/default/account/prefs/permissions.html.tmpl	2005-11-19 17:31:36.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/account/prefs/permissions.html.tmpl	2006-10-14 13:30:55.000000000 -0700
-@@ -42,8 +42,8 @@
-         
-           [% FOREACH bit_description = has_bits %]
-             
--              
--              
-+              
-+              
-             
-           [% END %]
-         
    [% bit_description.name %][% bit_description.desc %][% bit_description.name FILTER html %][% bit_description.desc FILTER html_light %]
    
-@@ -63,8 +63,8 @@
-           
-           [% FOREACH bit_description = set_bits %]
-             
--              
--              
-+              
-+              
-             
-           [% END %]
-           
    [% bit_description.name %][% bit_description.desc %][% bit_description.name FILTER html %][% bit_description.desc FILTER html_light %]
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/prefs.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/prefs.html.tmpl
---- bugzilla-2.22/template/en/default/account/prefs/prefs.html.tmpl	2005-10-28 02:56:54.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/account/prefs/prefs.html.tmpl	2006-06-09 05:15:54.000000000 -0700
-@@ -49,7 +49,7 @@
-               link => "userprefs.cgi?tab=settings", saveable => "1" },
-             { name => "email", label => "Email Preferences", 
-               link => "userprefs.cgi?tab=email", saveable => "1" },
--            { name => "saved-searches", label => "Saved searches", 
-+            { name => "saved-searches", label => "Saved Searches", 
-               link => "userprefs.cgi?tab=saved-searches", saveable => "1" },
-             { name => "permissions", label => "Permissions", 
-               link => "userprefs.cgi?tab=permissions", saveable => "0" } ] %]
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/account/prefs/settings.html.tmpl bugzilla-2.22.1/template/en/default/account/prefs/settings.html.tmpl
---- bugzilla-2.22/template/en/default/account/prefs/settings.html.tmpl	2005-10-28 02:56:54.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/account/prefs/settings.html.tmpl	2006-10-14 13:30:55.000000000 -0700
-@@ -49,8 +49,8 @@
-         
-         
-           [% IF settings.${name}.is_enabled %]
--            
-           [% ELSE %]
--            
-+              
-             
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/add.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/add.html.tmpl
---- bugzilla-2.22/template/en/default/admin/classifications/add.html.tmpl	2004-08-20 14:49:18.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/classifications/add.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -37,6 +37,7 @@
-   
    
-   
-   
-+  
- 
- 
- 
    Back to the main [% terms.bugs %] page
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/del.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/del.html.tmpl
---- bugzilla-2.22/template/en/default/admin/classifications/del.html.tmpl	2005-10-13 16:42:43.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/classifications/del.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -36,7 +36,7 @@
-   Description:
-   
-     [% IF classification.description %]
--      [% classification.description FILTER none %]
-+      [% classification.description FILTER html_light %]
-     [% ELSE %]
-       description missing
-     [% END %]
-@@ -52,6 +52,7 @@
-   
-   
-   
-+  
- 
- 
- 
    Back to the main [% terms.bugs %] page
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/classifications/edit.html.tmpl	2005-10-17 14:58:51.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/classifications/edit.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -33,7 +33,7 @@
-     
-       Description:
-       
-+            [% classification.description FILTER html %]
-       
-     
-     
-@@ -49,7 +49,7 @@
-                 [% product.name FILTER html %]
-                 
-                   [% IF product.description %]
--                    [% product.description FILTER none %]
-+                    [% product.description FILTER html_light %]
-                   [% ELSE %]
-                     description missing
-                   [% END %]
-@@ -67,6 +67,7 @@
-   
-   
-+  
-   
- 
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/reclassify.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/reclassify.html.tmpl
---- bugzilla-2.22/template/en/default/admin/classifications/reclassify.html.tmpl	2005-10-13 16:42:43.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/classifications/reclassify.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -33,7 +33,7 @@
-       Description:
-       
-         [% IF classification.description %]
--          [% classification.description FILTER none %]
-+          [% classification.description FILTER html_light %]
-         [% ELSE %]
-           description missing
-         [% END %]
-@@ -78,6 +78,7 @@
- 
-   
-   
-+  
- 
- 
- 
    Back to the main [% terms.bugs %] page,
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/classifications/select.html.tmpl bugzilla-2.22.1/template/en/default/admin/classifications/select.html.tmpl
---- bugzilla-2.22/template/en/default/admin/classifications/select.html.tmpl	2006-01-22 14:53:53.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/classifications/select.html.tmpl	2006-10-14 13:30:55.000000000 -0700
-@@ -36,7 +36,7 @@
-       [% cl.name FILTER html %]
-        
-       [% IF cl.description %]
--        [% cl.description %]
-+        [% cl.description FILTER html_light %]
-       [% ELSE %]
-         none
-       [% END %]
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/components/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/components/confirm-delete.html.tmpl
---- bugzilla-2.22/template/en/default/admin/components/confirm-delete.html.tmpl	2005-09-06 16:53:59.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/components/confirm-delete.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -44,7 +44,7 @@
- 
- 
-   Component Description:
--  [% comp.description FILTER html %]
-+  [% comp.description FILTER html_light %]
- 
- 
-   Default assignee:
-@@ -66,7 +66,7 @@
- 
- 
-   Product Description:
--  [% prod.description FILTER html %]
-+  [% prod.description FILTER html_light %]
- [% END %]
- 
- [% IF Param('usetargetmilestone') %]
-@@ -150,6 +150,7 @@
-   
-   
-   
-+  
-   
- 
- [% END %]
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/components/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/components/create.html.tmpl
---- bugzilla-2.22/template/en/default/admin/components/create.html.tmpl	2006-01-01 13:25:05.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/components/create.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -78,7 +78,7 @@
-   
-   
-   
--
-+  
- 
- 
- [% PROCESS admin/components/footer.html.tmpl %]
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/components/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/components/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/components/edit.html.tmpl	2005-09-06 16:53:59.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/components/edit.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -94,6 +94,7 @@
-    
-    
-    
-+   
-     or 
-+  #%]
-+
-+[%# INTERFACE:
-+  # abuser: identity of the user who created the (invalid?) token.
-+  # token_action: the action the token was supposed to serve.
-+  # expected_action: the action the user was going to do.
-+  # script_name: the script generating this warning.
-+  #%]
-+
-+[% PROCESS "global/field-descs.none.tmpl" %]
-+
-+[% PROCESS global/header.html.tmpl title = "Suspicious Action"
-+                                   style_urls = ['skins/standard/global.css'] %]
-+
-+[% IF abuser %]
-+  
    
-+    
    When you view an administrative form in [% terms.Bugzilla %], a token string
-+    is randomly generated and stored both in the database and in the form you loaded,
-+    to make sure that the requested changes are being made as a result of submitting
-+    a form generated by [% terms.Bugzilla %]. Unfortunately, the token used right now
-+    is incorrect, meaning that it looks like you didn't come from the right page.
-+    The following token has been used :
    
-+
-+    
-+      [% IF token_action != expected_action %]
-+        
-+          
-+          
-+        
-+        
-+          
-+          
-+        
-+      [% END %]
-+
-+      [% IF abuser != user.identity %]
-+        
-+          
-+          
-+        
-+        
-+          
-+          
-+        
-+      [% END %]
-+    
    Action stored:[% token_action FILTER html %]
     
-+            This action doesn't match the one expected ([% expected_action FILTER html %]).
-+          
    Generated by:[% abuser FILTER html %]
     
-+            This token has not been generated by you. It is possible that someone
-+            tried to trick you!
-+          
    
-+
-+    
    Please report this problem to [%+ Param("maintainer") FILTER html %].
    
-+  
    
-+[% ELSE %]
-+  
    
-+    It looks like you didn't come from the right page (you have no valid token for
-+    the [% expected_action FILTER html %] action while processing the
-+    '[% script_name FILTER html%]' script). The reason could be one of:
    
-+    
      
-+      
    • You clicked the "Back" button of your web browser after having successfully
-+      submitted changes, which is generally not a good idea (but harmless).
      • 
-+      
    • You entered the URL in the address bar of your web browser directly,
-+      which should be safe.
      • 
-+      
    • You clicked on a URL which redirected you here without your consent,
-+      in which case this action is much more critical.
      • 
-+    
    
-+    Are you sure you want to commit these changes anyway? This may result in
-+    unexpected and undesired results.
-+  
    
-+
-+  
    
-+    [% PROCESS "global/hidden-fields.html.tmpl"
-+               exclude="^(Bugzilla_login|Bugzilla_password)$" %]
-+    
-+  
    
-+  
    Or throw away these changes and go back to 
-+    [%- script_name FILTER html %].
    
-+[% END %]
-+
-+[% PROCESS global/footer.html.tmpl %]
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl
---- bugzilla-2.22/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl	2005-10-19 15:21:05.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -111,6 +111,7 @@
-     
-     
-     
-+    
-   
- 
- [% END %]
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/fieldvalues/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/fieldvalues/create.html.tmpl
---- bugzilla-2.22/template/en/default/admin/fieldvalues/create.html.tmpl	2005-06-14 20:55:00.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/fieldvalues/create.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -42,7 +42,7 @@
-   
-   
-   
--
-+  
- 
- 
- 
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/fieldvalues/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/fieldvalues/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/fieldvalues/edit.html.tmpl	2005-09-01 15:00:54.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/fieldvalues/edit.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -48,8 +48,8 @@
-   
-   
-   
-+  
-   
--
- 
- 
- 
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/flag-type/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/flag-type/confirm-delete.html.tmpl
---- bugzilla-2.22/template/en/default/admin/flag-type/confirm-delete.html.tmpl	2004-01-18 10:39:14.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/flag-type/confirm-delete.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -21,18 +21,16 @@
- 
- [% PROCESS global/variables.none.tmpl %]
- 
--[%# Filter off the name here to be used multiple times below %]
--[% name = BLOCK %][% flag_type.name FILTER html %][% END %]
-+[% title = BLOCK %]Confirm Deletion of Flag Type '[% flag_type.name FILTER html %]'[% END %]
- 
--[% PROCESS global/header.html.tmpl
--  title = "Confirm Deletion of Flag Type '$name'"
--%]
-+[% PROCESS global/header.html.tmpl title = title %]
- 
- 
    
--   There are [% flag_count %] flags of type [% name FILTER html %].
-+   There are [% flag_count %] flags of type [% flag_type.name FILTER html %].
-    If you delete this type, those flags will also be deleted.  Note that
-    instead of deleting the type you can
--   deactivate it,
-+   deactivate it,
-    in which case the type and its flags will remain in the database
-    but will not appear in the [% terms.Bugzilla %] UI.
- 
    
-@@ -45,8 +43,8 @@
-    
-    
-       
--         
--            Yes, delete
-+         Yes, delete
-          
-       
-       
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/flag-type/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/flag-type/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/flag-type/edit.html.tmpl	2006-01-21 06:07:03.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/flag-type/edit.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -45,9 +45,9 @@
- [% END %]
- 
- [% IF last_action == "copy" %]
--  [% title = "Create Flag Type Based on $type.name" %]
-+  [% title = BLOCK %]Create Flag Type Based on [% type.name FILTER html %][% END %]
- [% ELSIF last_action == "edit" %]
--  [% title = "Edit Flag Type $type.name" %]
-+  [% title = BLOCK %]Edit Flag Type [% type.name FILTER html %][% END %]
- [% END %]
- 
- [% PROCESS global/header.html.tmpl
-@@ -63,6 +63,7 @@
- 
    
-   
-   
-+  
-   
-   [% FOREACH category = type.inclusions %]
-     
-@@ -71,6 +72,10 @@
-     
-   [% END %]
- 
-+  [%# Add a hidden button at the top of the form so that the user pressing "return"
-+    # really submit the form, as expected. %]
-+  
-+
-   
-     
-       
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/flag-type/list.html.tmpl bugzilla-2.22.1/template/en/default/admin/flag-type/list.html.tmpl
---- bugzilla-2.22/template/en/default/admin/flag-type/list.html.tmpl	2005-02-25 07:27:24.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/flag-type/list.html.tmpl	2006-10-14 15:05:56.000000000 -0700
-@@ -59,25 +59,6 @@
-   Create Flag Type For Attachments
- 
    
- 
--
--
- [% PROCESS global/footer.html.tmpl %]
- 
- 
-@@ -97,9 +78,7 @@
-         
-         
-       
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/change.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/change.html.tmpl
---- bugzilla-2.22/template/en/default/admin/groups/change.html.tmpl	2004-07-12 22:12:31.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/groups/change.html.tmpl	2006-06-19 11:27:25.000000000 -0700
-@@ -28,7 +28,7 @@
-   #         1 - remove_explicit_members
-   #         2 - remove_explicit_members_regexp
-   #         3 - no conversion, just save the changes
--  # changes: boolean int. Is 1 if changes occured.
-+  # changes: boolean int. Is 1 if changes occurred.
-   # gid: integer. The ID of the group.
-   # name: the name of the product where removal is performed.
-   # regexp: the regexp according to which the update is performed.
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/create.html.tmpl
---- bugzilla-2.22/template/en/default/admin/groups/create.html.tmpl	2004-07-12 22:12:31.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/groups/create.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -49,6 +49,7 @@
-     Insert new group into all existing products.
    
-   
-   
-+  
- 
- 
- 
    Name is what is used with the UserInGroup() function in any
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/deleted.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/deleted.html.tmpl
---- bugzilla-2.22/template/en/default/admin/groups/deleted.html.tmpl	2005-10-17 14:58:52.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/groups/deleted.html.tmpl	2006-09-29 13:05:27.000000000 -0700
-@@ -23,9 +23,7 @@
-   #%]
- 
- [%# INTERFACE:
--  # gid: number. The group ID.
-   # name: string. The name of the group.
--  # cantdelete: boolean int. Is 1 if the group couldn't have been deleted.
-   #%]
- 
- 
-@@ -33,21 +31,7 @@
-   title = "Deleting group"
- %]
- 
--[% IF cantdelete %]
--  
    
--    This group cannot be deleted because there are records
--    in the database which refer to it.  All such records
--    must be removed or altered to remove the reference to this
--    group before the group can be deleted.
--  
    
--
--  
    
--    View
--    the list of which records are affected.
--  
    
--[% ELSE %]
--  
    The group [% name FILTER html %] has been deleted.
    
--[% END %]
-+
    The group [% name FILTER html %] has been deleted.
    
- 
- 
    Go back to the group list.
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/delete.html.tmpl
---- bugzilla-2.22/template/en/default/admin/groups/delete.html.tmpl	2005-11-30 00:19:28.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/groups/delete.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -47,7 +47,7 @@
-   
    
-     
-     
--    
-+    
-   
- 
    Name:[% type.description FILTER html %]
-           Copy
--          | Delete
-+          | Delete
-         
    [% gid FILTER html %][% name FILTER html %][% description FILTER html %][% description FILTER html_light %]
    
- 
-@@ -103,6 +103,7 @@
-   
    
-   
-   
-+  
- 
- 
- Go back to the group list.
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/groups/edit.html.tmpl	2005-02-18 08:38:42.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/groups/edit.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -41,9 +41,10 @@
-   #                   be aware of the group being edited and its members.
-   #%]
- 
-+[% title = BLOCK %]Change Group: [% name FILTER html %][% END %]
- 
- [% PROCESS global/header.html.tmpl
--  title = "Change Group: $name"
-+  title = title
-   style = "tr.odd_row {
-                background: #e9e9e9; 
-            }
-@@ -165,7 +166,7 @@
-             [% group.grpnam FILTER html %]
-           
-         
--        [% group.grpdesc FILTER html %]
-+        [% group.grpdesc FILTER html_light %]
-       
-     [% END %]
-   
-@@ -213,6 +214,7 @@
- 
-   
-   
-+  
- 
- 
- Back to the group list.
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/list.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/list.html.tmpl
---- bugzilla-2.22/template/en/default/admin/groups/list.html.tmpl	2006-01-26 09:38:09.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/groups/list.html.tmpl	2006-10-14 13:30:56.000000000 -0700
-@@ -37,53 +37,104 @@
-   h2 = "This lets you edit the groups available to put users in."
- %]
- 
-+[% edit_contentlink = "editgroups.cgi?action=changeform&group=%%id%%" %]
-+[% del_contentlink = "editgroups.cgi?action=del&group=%%id%%" %]
- 
--
--  
--    
--    
--    
--    
--    
--    
--  
--
--  [% FOREACH group = groups %]
--    
--      
--      
--      
--
--      
--
--      
--
--      
--    
--  [% END %]
--
--  
--    
--    
--  
--
    NameDescriptionUser RegExpUse For [% terms.Bugs %]TypeAction
    
--        
--          [% group.name FILTER html %]
--      [% group.description FILTER html %][% group.userregexp FILTER html %] 
--        [% IF (group.isactive != 0) && (group.isbuggroup) %]
--          X
--        [% ELSE %]
--           
--        [% END %]
--      
--        [% (group.isbuggroup) ? "user" : "system" %]
--      
--        [% IF (group.isbuggroup) %]
--          Delete
--        [% ELSE %]
--           
--        [% END %]
--      
    Add Group
    
-+[% columns =
-+  [{name               => 'name'
-+    heading            => 'Name'
-+    contentlink        => edit_contentlink
-+   }
-+   {name               => 'description'
-+    heading            => 'Description'
-+    allow_html_content => 1
-+   }
-+   {name               => 'userregexp'
-+    heading            => 'User RegExp'
-+   }
-+   {name               => 'use_for'
-+    heading            => "Use For $terms.Bugs"
-+    align              => 'center'
-+   }
-+   {name               => 'type'
-+    heading            => 'Type'
-+    align              => 'center'
-+   }
-+   {name               => 'action'
-+    heading            => 'Action'
-+   }
-+  ]
-+%]
-+
-+[% overrides.use_for = [ {
-+     match_value => "0"
-+     match_field => 'use_for'
-+     override_content => 1
-+     content => " "
-+   },
-+   {
-+     match_value => "1"
-+     match_field => 'use_for'
-+     override_content => 1
-+     content => "X"
-+   }]
-+   overrides.userregexp = [ {
-+     match_value => ""
-+     match_field => 'userregexp'
-+     override_content => 1
-+     content => " "
-+   }]
-+   overrides.action = [ {
-+     match_value => Param("chartgroup")
-+     match_field => 'name'
-+     override_content => 1
-+     content => "(used as the 'chartgroup')"
-+   },
-+   {
-+     match_value => Param("insidergroup")
-+     match_field => 'name'
-+     override_content => 1
-+     content => "(used as the 'insidergroup')"
-+   },
-+   {
-+     match_value => Param("timetrackinggroup")
-+     match_field => 'name'
-+     override_content => 1
-+     content => "(used as the 'timetrackinggroup')"
-+   },
-+   {
-+     match_value => "1"
-+     match_field => 'isbuggroup'
-+     override_content => 1
-+     content => "Delete"
-+     override_contentlink => 1
-+     contentlink => del_contentlink
-+   }]
-+   overrides.type = [ {
-+     match_value => "0"
-+     match_field => 'isbuggroup'
-+     override_content => 1
-+     content => "system"
-+   },
-+   {
-+     match_value => "1"
-+     match_field => 'isbuggroup'
-+     override_content => 1
-+     content => "user"
-+   }]
-+%] 
-+
-+[% FOREACH group = groups %]
-+  [% group.use_for = (group.isactive != 0) && (group.isbuggroup) %]
-+[% END %]
-+
-+[% PROCESS admin/table.html.tmpl
-+  columns = columns
-+  data    = groups
-+  overrides = overrides
-+%]
-+
-+
    Add Group
    
- 
- 
    
-   Name is what is used with the UserInGroup() function in any
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/groups/remove.html.tmpl bugzilla-2.22.1/template/en/default/admin/groups/remove.html.tmpl
---- bugzilla-2.22/template/en/default/admin/groups/remove.html.tmpl	2004-07-12 22:12:32.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/groups/remove.html.tmpl	2006-10-14 13:50:43.000000000 -0700
-@@ -33,14 +33,16 @@
- 
- 
- [% IF remove_all %]
--  [% title = "Removing All Explicit Group Memberships from '"
--      _ name _ "'" %]
-+  [% title = BLOCK %]
-+    Removing All Explicit Group Memberships from '[% name FILTER html %]'
-+  [% END %]
- [% ELSE %]
--  [% title = "Removing All Explicit Group Memberships Matching "
--      _ "Group RegExp from '" _ name _ "'" %]
-+  [% title = BLOCK %]
-+    Removing All Explicit Group Memberships Matching Group RegExp from '[% name FILTER html %]'
-+  [% END %]
- [% END %]
- 
--[% PROCESS global/header.html.tmpl %]
-+[% PROCESS global/header.html.tmpl title = title %]
- 
- [% IF remove_all %]
-   
    Removing explicit membership
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/keywords/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/keywords/confirm-delete.html.tmpl
---- bugzilla-2.22/template/en/default/admin/keywords/confirm-delete.html.tmpl	2004-01-18 10:39:15.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/keywords/confirm-delete.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -46,6 +46,7 @@
-   
-   
-   
-+  
-   
- 
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/keywords/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/keywords/create.html.tmpl
---- bugzilla-2.22/template/en/default/admin/keywords/create.html.tmpl	2004-01-18 10:39:15.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/keywords/create.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -47,6 +47,7 @@
-   
-   
-   
-+  
- 
- 
- 
    Edit other keywords.
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/keywords/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/keywords/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/keywords/edit.html.tmpl	2005-07-10 16:41:12.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/keywords/edit.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -62,6 +62,7 @@
-   
-   
-   
-+  
- 
- 
- 
    Edit other keywords.
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/keywords/list.html.tmpl bugzilla-2.22.1/template/en/default/admin/keywords/list.html.tmpl
---- bugzilla-2.22/template/en/default/admin/keywords/list.html.tmpl	2005-07-10 16:41:12.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/keywords/list.html.tmpl	2006-10-14 13:30:56.000000000 -0700
-@@ -43,7 +43,8 @@
-      },
-      { 
-        name => "description"
--       heading => "Description" 
-+       heading => "Description"
-+       allow_html_content => 1
-      },
-      { 
-        name => "bug_count"
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/milestones/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/milestones/confirm-delete.html.tmpl
---- bugzilla-2.22/template/en/default/admin/milestones/confirm-delete.html.tmpl	2005-07-27 17:35:50.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/milestones/confirm-delete.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -91,6 +91,7 @@
-   
-   
-   
-+  
- 
- 
- [% PROCESS admin/milestones/footer.html.tmpl %]
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/milestones/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/milestones/create.html.tmpl
---- bugzilla-2.22/template/en/default/admin/milestones/create.html.tmpl	2005-08-23 05:39:17.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/milestones/create.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -48,7 +48,7 @@
-   
-   
-   
--
-+  
- 
- 
- 
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/milestones/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/milestones/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/milestones/edit.html.tmpl	2005-08-23 05:39:17.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/milestones/edit.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -56,7 +56,7 @@
-   
-   
-   
--
-+  
- 
- 
- 
    
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/params/bugchange.html.tmpl bugzilla-2.22.1/template/en/default/admin/params/bugchange.html.tmpl
---- bugzilla-2.22/template/en/default/admin/params/bugchange.html.tmpl	2005-10-14 10:54:56.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/params/bugchange.html.tmpl	2006-07-20 16:34:10.000000000 -0700
-@@ -20,8 +20,8 @@
-   #                 Frédéric Buclin 
-   #%]
- [%
--   title = "Bug Change Policies"
--   desc = "Set up bug change policies"
-+   title = "$terms.Bug Change Policies"
-+   desc = "Set up $terms.bug change policies"
- %]
- 
- [% param_descs = {
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/params/bugfields.html.tmpl bugzilla-2.22.1/template/en/default/admin/params/bugfields.html.tmpl
---- bugzilla-2.22/template/en/default/admin/params/bugfields.html.tmpl	2005-10-14 10:54:56.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/params/bugfields.html.tmpl	2006-07-20 16:34:10.000000000 -0700
-@@ -20,7 +20,7 @@
-   #                 Frédéric Buclin 
-   #%]
- [%
--   title = "Bug Fields"
-+   title = "$terms.Bug Fields"
-    desc = "Choose fields you want to display"
- %]
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/params/bugmove.html.tmpl bugzilla-2.22.1/template/en/default/admin/params/bugmove.html.tmpl
---- bugzilla-2.22/template/en/default/admin/params/bugmove.html.tmpl	2005-10-12 01:51:54.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/params/bugmove.html.tmpl	2006-07-20 16:34:10.000000000 -0700
-@@ -20,8 +20,8 @@
-   #                 Frédéric Buclin 
-   #%]
- [%
--   title = "Bug Moving"
--   desc = "Set up parameters to move bugs to/from another installation"
-+   title = "$terms.Bug Moving"
-+   desc = "Set up parameters to move $terms.bugs to/from another installation"
- %]
- 
- [% param_descs = {
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/params/editparams.html.tmpl bugzilla-2.22.1/template/en/default/admin/params/editparams.html.tmpl
---- bugzilla-2.22/template/en/default/admin/params/editparams.html.tmpl	2005-10-13 02:18:23.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/params/editparams.html.tmpl	2006-10-14 15:05:57.000000000 -0700
-@@ -99,6 +99,7 @@
-           [% PROCESS admin/params/common.html.tmpl panel = current_panel %]
-           
-           
-+          
-           
-           
-         
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/confirm-delete.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/confirm-delete.html.tmpl
---- bugzilla-2.22/template/en/default/admin/products/confirm-delete.html.tmpl	2005-11-18 16:48:08.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/products/confirm-delete.html.tmpl	2006-10-14 15:05:58.000000000 -0700
-@@ -56,7 +56,7 @@
-       [%# descriptions are intentionally not filtered to allow html content %]
-       
-         [% IF classification.description %]
--          [% classification.description FILTER none %]
-+          [% classification.description FILTER html_light %]
-         [% ELSE %]
-           missing
-         [% END %]
-@@ -78,7 +78,7 @@
-     [%# descriptions are intentionally not filtered to allow html content %]
-     
-       [% IF product.description %]
--        [% product.description FILTER none %]
-+        [% product.description FILTER html_light %]
-       [% ELSE %]
-         missing
-       [% END %]
-@@ -132,7 +132,7 @@
-               [%# descriptions are intentionally not filtered to allow html content %]
-               
-                 [% IF c.description %]
--                  [% c.description FILTER none %]
-+                  [% c.description FILTER html_light %]
-                 [% ELSE %]
-                   missing
-                 [% END %]
-@@ -263,6 +263,7 @@
-     
-     
-     
-+    
-     
-   
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/create.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/create.html.tmpl
---- bugzilla-2.22/template/en/default/admin/products/create.html.tmpl	2005-10-26 10:14:33.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/products/create.html.tmpl	2006-10-14 15:05:58.000000000 -0700
-@@ -57,6 +57,7 @@
-   
-   
-   
-+  
-   
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/edit-common.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/edit-common.html.tmpl
---- bugzilla-2.22/template/en/default/admin/products/edit-common.html.tmpl	2005-12-13 12:08:13.000000000 -0800
-+++ bugzilla-2.22.1/template/en/default/admin/products/edit-common.html.tmpl	2006-10-14 13:30:56.000000000 -0700
-@@ -40,7 +40,7 @@
- 
-   Description:
-   
-+        [% product.description FILTER html %]
-   
- 
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/products/edit.html.tmpl	2005-10-26 10:14:35.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/products/edit.html.tmpl	2006-10-14 15:05:58.000000000 -0700
-@@ -50,7 +50,7 @@
-           [% FOREACH component = product.components %]
-             [% component.name FILTER html %]: 
-             [% IF component.description %]
--              [% component.description FILTER none %]
-+              [% component.description FILTER html_light %]
-             [% ELSE %]
-               description missing
-             [% END %]
-@@ -132,6 +132,7 @@
-   
-   
-+  
-   
-   
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/groupcontrol/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/groupcontrol/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/products/groupcontrol/edit.html.tmpl	2005-10-17 14:43:42.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/products/groupcontrol/edit.html.tmpl	2006-10-14 15:05:58.000000000 -0700
-@@ -31,6 +31,7 @@
- 
    
-   
-   
-+  
-   
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/products/updated.html.tmpl bugzilla-2.22.1/template/en/default/admin/products/updated.html.tmpl
---- bugzilla-2.22/template/en/default/admin/products/updated.html.tmpl	2005-10-17 14:43:41.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/products/updated.html.tmpl	2006-10-14 13:30:56.000000000 -0700
-@@ -39,7 +39,7 @@
-   #
-   # confirmedbugs: list of bug ids, which were confirmed by votes
-   #
--  # changer: string; user id of the user making the changes, used for mailing
-+  # changer: string; login of the user making the changes, used for mailing
-   #          bug changes if necessary
-   #
-   #%]
-@@ -75,7 +75,7 @@
-   
    
-     Updated description to:
    
-   
    
--  
    [% product.description FILTER html %]
    
-+  
    [% product.description FILTER html_light %]
    
-   [% updated = 1 %]
- [% END %]
- 
-diff -urN --exclude=CVS --exclude='*.pdf' bugzilla-2.22/template/en/default/admin/settings/edit.html.tmpl bugzilla-2.22.1/template/en/default/admin/settings/edit.html.tmpl
---- bugzilla-2.22/template/en/default/admin/settings/edit.html.tmpl	2005-06-20 14:14:43.000000000 -0700
-+++ bugzilla-2.22.1/template/en/default/admin/settings/edit.html.tmpl	2006-10-14 15:05:58.000000000 -0700
-@@ -64,7 +64,7 @@
-               [% setting_descs.$name OR name FILTER html %]
-             
-             
--              
-                 [% FOREACH x = settings.${name}.legal_values %]
-