All Versions
31
Latest Version
Avg Release Cycle
25 days
Latest Release
42 days ago

Changelog History
Page 1

  • v0.30.5

    December 06, 2020

    ๐Ÿš€ Security Release

    ๐Ÿš€ Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability. You should ensure you've set the APP_URL option in your .env file to prevent likelihood of the phishing attack. Please view the above report or blogpost links for more detail.

  • v0.30.4

    October 31, 2020

    ๐Ÿš€ Security Release

    ๐Ÿš€ This release addresses XSS and user-injected auto-redirect vulnerabilities within the page content & attachment components of BookStack. These are primarily a concern if untrusted users can edit content on your BookStack instance. Please view the above report or blogpost links for more detail.

  • v0.30.3

    October 13, 2020

    Full List of Changes

    ๐Ÿš€ This release contains the following fixes and changes:

    • โž• Added VBScript syntax highlighting to the code block editor. Thanks to @nutsflag. (#2302, #2255)
    • ๐Ÿ›  Fixed issue where drawings would not save in the Markdown editor. (#2313, #2321)
    • โšก๏ธ Updated some Spanish and Chinese translations. (#2303)

  • v0.30.2

    September 30, 2020

    Full List of Changes

    ๐Ÿš€ This release contains the following fixes and changes:

    • โšก๏ธ Updated JavaScript build system to provide slightly better browser compatibility.
    • โšก๏ธ Updated page-content save parsing to update anchor references on IDs changed by BookStack. (#2278)
    • ๐Ÿ›  Fixed issue where creating a link attachment after mulitple validation failures would result in many duplicate links being created. (#2286)
    • โšก๏ธ Updated drawing integration to, by default, use diagrams.net instead of draw.io. (#2285, #2044)
    • โšก๏ธ Updated default .htaccess to align with laravel's and allow canonical redirects on non-root url app instances. Thanks to @jakubboucek. (#2272)

  • v0.30.1

    September 26, 2020

    Full List of Changes

    ๐Ÿš€ This release contains the following fixes and changes:

    • โšก๏ธ Updated translations. (#2262)
    • โšก๏ธ Updated settings header bar to adapt better for longer-text languages. (#2265)
    • ๐Ÿ’… Updated callout link formatting to use callout text style rather than theme color. Thanks to @alexmannuk. (#2233, #303)
    • โšก๏ธ Updated Book export content so that page includes are parsed. Thanks to @mr-vinn. (#2227, #2228)
    • ๐Ÿ›  Fixed issue where the markdown editor preview pane would be empty. (#2280)
    • ๐Ÿ›  Fixed incorrect spelling of "Ubuntu Mono" font definition. Thanks to @abulgatz. (#2274)
    • ๐Ÿ›  Fixed incorrect AddActivityIndexes migration 'down' action. Thanks to @gertjankrol. (#2268)
    • ๐Ÿ›  Fixed unexpected scroll bars on code blocks. (#2267)
    • ๐Ÿ›  Fixed issue where notification would not shown upon SAML login where there's an existing non-matching user. (#2263)

  • v0.30.0

    September 20, 2020

    โšก๏ธ Update Notices

    ๐Ÿ”’ Security Notice - Possible Privilege Escalation

    Thanks to @Defelo
    it was advised that current privilege escalation situations are not made clear when applying role permissions.
    Any user with a "Manage app settings", "Manage users" or "Manage roles & role permissions" system permission
    assigned to one of their roles could technically alter their own permissions to gain wider access.
    ๐Ÿ’ป A clear advisory of these cases has been added in the UI in v0.30
    but admins are advised to review which users have these permissions with the above in mind.

    LDAP & SAML Group Matching - Potential Change

    Thanks to @nem1989 it was found that
    BookStack roles would be matched to LDAP/SAML groups based upon the role display name, which is expected,
    but only those roles with a matching "name" value would be considered for this matching. This "name" field was redundant,
    ๐Ÿšš and has now been removed, but it would store a cleaned version the first-set name of the role.
    ๐Ÿ”€ All roles will now be considered before being matched on name which may mean that roles which did not sync before,
    ๐Ÿ”€ that would have been expected to based on their name, may now start to sync.

    Full List of Changes

    • โž• Added API endpoints for chapters.
    • โž• Added audit log to the settings area. (#2173, #1167)
    • โž• Added the ability to insert an attachment link directly into the current editor window. (#1460)
    • โž• Added session-based code-block editor auto-save to prevent potential loss of content. (#1398)
    • โž• Added warning wording around role system permissions to indicate what permissions could allow privilege escalation. (#2105)
    • โž• Added the ability to log login failures to a file. Thanks to @benrubson. (#1881, #728)
    • โšก๏ธ Updated Simplified Chinese translations. Thanks to @Honvid. (#2157)
    • ๐ŸŽ Updated WYSIWYG editor css to put editor in it's own layer to improve degraded dark mode performance. (#2154)
    • โšก๏ธ Updated Czech translations. Thanks to @jakubboucek. (#2238)
    • โšก๏ธ Updated permission system so that the permission map table does not contain ID's since database limits could be met in scenarios where permissions were automatically refreshed on a frequent basis. (#2091)
    • โšก๏ธ Updated to role table in the database to remove a redundant name field which fixes issue where changing a role name would not change the name used to match with LDAP groups. (#2032)
    • โšก๏ธ Updated URL slug generation to achieve a much cleaner result when non-ascii characters are used. Thanks to @drzippie. (#2165, #2026, #1765)
    • โšก๏ธ Updated error reporting so that not-found errors are not written to the log, causing logs to fill much quicker than expected. (#2110)
    • ๐Ÿ’… Updated dark mode styles to remove filters applied to images so that they display as expected. (#2045)
    • โœ‚ Removed Vue.js from project & started standardisation of custom basic component system. (#2202)
    • Replaced dev usage of node-sass with dart-sass. Thanks to @timoschwarzer. (#2166)
    • ๐Ÿ›  Fixed issue where, upon role delete, users would not be migrated when specified to during role delete flow. (#2211)
    • ๐Ÿ›  Fixed issue where the system would error on upload of images that contain a hash in the name. (#2161)
    • ๐Ÿ›  Fixed scenario where page drafts would show as saved where request would actually fail, leading to loss of data. Added a browser-side storage mechanism for emergency use. (#2150)
    • ๐Ÿ›  Fixed issue where LDAP groups would not sync on initial login due to the email confirmation system taking over before the group sync would run. (#2082)
    • ๐Ÿ›  Fixed issue where the redirect upon login could lead to an external site. (#2073)
    • ๐Ÿ›  Fixed low visibility of horizontal lines when dark mode is in use. (#2209)
    • ๐Ÿ›  Fixed issue where HTML entities would be seen in page preview content. Thanks to @mr-vinn. (#2257, #2114)
    • ๐Ÿ›  Fixed issue where previous page content would be indexed upon save instead of the fresh content. (#2042)
    • ๐Ÿ›  Fixed issue where an error would be thrown on SAML logout request from the IdP. (#2002)
    • ๐Ÿ›  Fixed bad pagination styling which would result in invisible numbering. (#1839)
    • ๐Ÿ›  Fixed incorrect and misleading behaviour when saving a comment with no content. (#1836)

  • v0.29.3

    May 12, 2020

    ๐Ÿš€ Security Release

    ๐Ÿš€ This release addresses issue #2111 where the name of a restricted book could be viewed by non-authorised users when the book was on a shelf, and the shelves were viewed in "List View". This could expose book names to those that did not have permission to see them, when part of a shelf.

  • v0.29.2

    May 02, 2020

    ๐Ÿš€ Security Release

    ๐Ÿš€ This release addresses vulnerabilities in the comment system. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines.

    This most impacts scenarios where not-trusted users are given permission to create comments.

    โฌ†๏ธ After upgrading, The command php artisan bookstack:regenerate-comment-content should be ran to remove any pre-existing dangerous content.

  • v0.29.1

    April 28, 2020

    Full List of Changes

    ๐Ÿš€ This release contains the following fixes and changes:

    • โž• Added multi-item select to the book-sort interface. (#2067)
    • โšก๏ธ Updated authentication system to prevent admins being logged out when changing authentication type, useful when setting up LDAP or SAML. (#2031)
    • โšก๏ธ Updated editor focus so that the title is ready-selected if the default, otherwise the editor is focused. (#2036)
    • โšก๏ธ Updated translations for Dutch, Korean, French, Turkish, Spanish. Thanks to Crowdin Users. (#2028, #2071)
    • ๐Ÿ›  Fixed issue where callout styles could not be cycled through via shortcut when in-callout formatting was selected in the editor. (#2061)
    • ๐Ÿ›  Fixed issue where the selection area was not visible in code blocks or the markdown editor when using dark mode. (#2060)
    • ๐Ÿ›  Fixed issue where callouts and code blocks would overlap floated images. (#2055)
    • ๐Ÿ›  Fixed issue where no notification would show on an LDAP Login when email already exists. (#2048)
    • ๐Ÿ›  Fixed API issue where "total" on a listing response would be incorrect when an offset was given. (#2043)

  • v0.29.0

    April 13, 2020

    Full List of Changes

    • โž• Added a user-selectable dark-mode option. (#2022, #1234)
    • โž• Added the ability to define a custom draw.io URL and therefore use a custom instance if preferred. (#826)
    • โž• Added grid-view support, with toggle, to the shelf view. Thanks to @philjak. (#1755, #1221)
    • โž• Added a list of bookshelves that a book belongs when viewing a book. Thanks to @cw1998. (#1688, #1598)
    • โž• Added a new command to update your BookStack URL in the database. (#1225)
    • โž• Added shelf API endpoints. Thanks to @osmansorkar. (#1908)
    • โž• Added book-export API endpoints.
    • โšก๏ธ Updated password reset flows to avoid indicating if a email is in use within the system. (#2016)
    • โšก๏ธ Updated WYSIWYG entity-link-insert to set link text to entity name, if input is empty. (#2014)
    • ๐Ÿ’… Updated styles with better RTL support through the use of CSS logical properties/values. (#2003)
    • โšก๏ธ Updated the name of saved drawings to not include the user's name, to prevent issues with non-standard characters. (#1993)
    • โœ‚ Removed BMP and TIFF from the list of allows image upload types since these could not be resized properly. (#1990)
    • โšก๏ธ Updated code-block insert to handle focus, so code blocks can be inserted smoothly via keyboard alone. (#1972)
    • โšก๏ธ Updated namespacing used in tests to avoid warnings on recent versions of composer. (#1924)
    • โšก๏ธ Updated Chinese translations. Thanks to @jzoy. (#2023)
    • โšก๏ธ Updated translations for Turkish, Slovenian, Swedish, Spanish, Italian, Russian, German Informal, German, French, Chinese Simplified, Portuguese, Brazilian & Hungarian. Thanks to Crowdin Users.
    • โšก๏ธ Updated default .htaccess to allow Authorization header for API usage. Thanks to @osmansorkar. (#1908)
    • โšก๏ธ Updated GitHub authorization library to avoid use of deprecated auth methods. (#1879)
    • ๐Ÿ›  Fixed issue where ordered list numbers could be cut-off. This was most apparent on Safari.(#1978)