- as discovered and reported by Egidio Romano of Minded Security
- Lacking checks of HTTP methods in some functionality could lead to a site admin uploading and executing malicious scripts
- Tightened HTTP method verification across the board for actions that modify data
- Turned some administrative tasks to POST only actions
- as discovered and reported by Egidio Romano of Minded Security
- The site admin file upload tool allowed for unrestricted file upload that could lead to RCE
- Fixed the file uploader to be much more restrictive
- removed the interactive terms file upload
- also added comment field for attributes
- until now multi line fields were both escaped and the line breaks removed
- this was overkill, linebreaks are now kept intact
- Added logging of failed login attempts
- Added (optional) logging of successful authentications
- admin setting that has to be enabled
- will log all API calls (both HTTP method and target url)
- optional logging of user IP address for all logs
- each log entry created while this setting is enabled will log the IP address of the client
- disabling it also hides the IPs from the interface
- added new IP field for the log search (only if enabled)
- APIs for the following actions:
- Add new proposed attribute to an event
- Add proposed change to an attribute
- View a proposal
- Accept a proposal
- Discard a proposal
- new APIs described on the automation page
- vulnerability reported by Airbus Group CERT
- Deprecated ajax attribute view had inverse access control logic
- removed ajax path
- added XML/JSON view
- Fixed a critical bug in the XML export
- As of recently XML exports include relations as they were missing before
- the sanitisation of the event info field in related attributes was incorrectly sanitized of unicode characters
- this can lead to the XML export breaking and also for affected events to be blocked from synchronisation
- Proposal fixes
- fixed an invalid uuid generation that lead to an exception
- fixed the attachments for proposals still using the old attachment system that disallows most filenames
- added the automatic creation of hashes for attachment proposals
- As RichieB2B noted, get_current_user() gets the owner of the script in CentOS / RHEL not the user executing the script (as in Ubuntu)
- Current solution uses posix_getpwuid and posix_geteuid if the php-posix package is installed
- if not, it uses whoami
- for some users the workers appeared to be dead even though the worker processes were functional and started by the correct user
- this was due to access to /proc being blocked by open_basedir directive settings
- added a check and the corresponding view changes to this being the case
- Under these distros, php is blocked from seeing concurrently running php processes even under the same user
- instead of running ps, the diagnostic now checks the existance of the pid file in /proc/
- datepicker seems to bug out as of recently
- misplaced popup that overlaps with the top bar
- fixed by updating to a newer version of datepicker
- added a new view that generates a markdown version of the categories and types view, for easier gitbook generation
- diagnostic tool would throw exceptions because the db session tables are still missing in some older instances
- if a different session handler is used, the test is skipped
- REST delete of events lacked an API specific response
- simply redirected to the index
- it now returns eitehr "Event deleted" or "Event was not deleted" depending on the outcome
iglocska