diff options
-rw-r--r-- | ReleaseNotes/ReleaseNotes-2.5.1.txt | 2 | ||||
-rw-r--r-- | ReleaseNotes/ReleaseNotes-2.5.3.txt | 4 | ||||
-rw-r--r-- | ReleaseNotes/ReleaseNotes-2.5.4.txt | 22 | ||||
-rw-r--r-- | ReleaseNotes/index.txt | 1 | ||||
-rw-r--r-- | gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/account/AccountSecurityImpl.java | 12 |
5 files changed, 35 insertions, 6 deletions
diff --git a/ReleaseNotes/ReleaseNotes-2.5.1.txt b/ReleaseNotes/ReleaseNotes-2.5.1.txt index 3a640d1252..6fc0dc57de 100644 --- a/ReleaseNotes/ReleaseNotes-2.5.1.txt +++ b/ReleaseNotes/ReleaseNotes-2.5.1.txt @@ -7,7 +7,7 @@ link:http://code.google.com/p/gerrit/downloads/detail?name=gerrit-full-2.5.1.war There are no schema changes from 2.5, or 2.5.1. -However, if upgrading from anything earlier version, follow the upgrade +However, if upgrading from a version older than 2.5, follow the upgrade procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes]. Security Fixes diff --git a/ReleaseNotes/ReleaseNotes-2.5.3.txt b/ReleaseNotes/ReleaseNotes-2.5.3.txt index 1cbe85f514..60efa7a3a1 100644 --- a/ReleaseNotes/ReleaseNotes-2.5.3.txt +++ b/ReleaseNotes/ReleaseNotes-2.5.3.txt @@ -5,9 +5,9 @@ Gerrit 2.5.3 is now available: link:http://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.5.3.war[http://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.5.3.war] -There are no schema changes from any member of the 2.5.x versions. +There are no schema changes from any of the 2.5.x versions. -However, if upgrading from anything earlier version, follow the upgrade +However, if upgrading from a version older than 2.5, follow the upgrade procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes]. Security Fixes diff --git a/ReleaseNotes/ReleaseNotes-2.5.4.txt b/ReleaseNotes/ReleaseNotes-2.5.4.txt new file mode 100644 index 0000000000..1657d9b4fc --- /dev/null +++ b/ReleaseNotes/ReleaseNotes-2.5.4.txt @@ -0,0 +1,22 @@ +Release notes for Gerrit 2.5.4 +============================== + +Gerrit 2.5.4 is now available: + +link:http://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.5.4.war[http://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.5.4.war] + +There are no schema changes from any of the 2.5.x versions. + +However, if upgrading from a version older than 2.5, follow the upgrade +procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes]. + +Bug Fixes +--------- +* Require preferred email to be verified ++ +Some users were able to select a preferred email address that was +not previously verified. This may have allowed the server to send +notifications to an invalid destination, resulting in higher than +usual bounce rates. + +No other changes since 2.5.3. diff --git a/ReleaseNotes/index.txt b/ReleaseNotes/index.txt index 54791012e5..98cc3ac51d 100644 --- a/ReleaseNotes/index.txt +++ b/ReleaseNotes/index.txt @@ -9,6 +9,7 @@ Version 2.6.x [[2_5]] Version 2.5.x ------------- +* link:ReleaseNotes-2.5.4.html[2.5.4] * link:ReleaseNotes-2.5.3.html[2.5.3] * link:ReleaseNotes-2.5.2.html[2.5.2] * link:ReleaseNotes-2.5.1.html[2.5.1] diff --git a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/account/AccountSecurityImpl.java b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/account/AccountSecurityImpl.java index 11846d3e44..6d183b8201 100644 --- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/account/AccountSecurityImpl.java +++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/account/AccountSecurityImpl.java @@ -14,6 +14,7 @@ package com.google.gerrit.httpd.rpc.account; +import com.google.common.base.Strings; import com.google.gerrit.common.ChangeHooks; import com.google.gerrit.common.data.AccountSecurity; import com.google.gerrit.common.data.ContributorAgreement; @@ -217,12 +218,17 @@ class AccountSecurityImpl extends BaseServiceImplementation implements final ContactInformation info, final AsyncCallback<Account> callback) { run(callback, new Action<Account>() { public Account run(ReviewDb db) throws OrmException, Failure { - final Account me = db.accounts().get(user.get().getAccountId()); + IdentifiedUser self = user.get(); + final Account me = db.accounts().get(self.getAccountId()); final String oldEmail = me.getPreferredEmail(); if (realm.allowsEdit(Account.FieldName.FULL_NAME)) { - me.setFullName(name != null && !name.isEmpty() ? name : null); + me.setFullName(Strings.emptyToNull(name)); } - me.setPreferredEmail(emailAddr); + if (!Strings.isNullOrEmpty(emailAddr) + && !self.getEmailAddresses().contains(emailAddr)) { + throw new Failure(new PermissionDeniedException("Email address must be verified")); + } + me.setPreferredEmail(Strings.emptyToNull(emailAddr)); if (useContactInfo) { if (ContactInformation.hasAddress(info) || (me.isContactFiled() && ContactInformation.hasData(info))) { |