Changelog History
Page 1
-
v0.30.5 Changes
December 06, 2020🚀 Security Release
- ⚡️ Update Instructions
- 🔒 Vulnerability Report: Server Side Request Forgery Through Content Exports
- 🚀 Update details on blog
🚀 Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability. You should ensure you've set the
APP_URL
option in your.env
file to prevent likelihood of the phishing attack. Please view the above report or blogpost links for more detail. -
v0.30.4 Changes
October 31, 2020🚀 Security Release
- ⚡️ Update Instructions
- Vulnerability Reports:
- 🚀 Update details on blog
🚀 This release addresses XSS and user-injected auto-redirect vulnerabilities within the page content & attachment components of BookStack. These are primarily a concern if untrusted users can edit content on your BookStack instance. Please view the above report or blogpost links for more detail.
-
v0.30.3 Changes
October 13, 2020🔗 Links
Full List of Changes
🚀 This release contains the following fixes and changes:
-
v0.30.2 Changes
September 30, 2020🔗 Links
Full List of Changes
🚀 This release contains the following fixes and changes:
- ⚡️ Updated JavaScript build system to provide slightly better browser compatibility.
- ⚡️ Updated page-content save parsing to update anchor references on IDs changed by BookStack. (#2278)
- 🛠 Fixed issue where creating a link attachment after mulitple validation failures would result in many duplicate links being created. (#2286)
- ⚡️ Updated drawing integration to, by default, use diagrams.net instead of draw.io. (#2285, #2044)
- ⚡️ Updated default .htaccess to align with laravel's and allow canonical redirects on non-root url app instances. Thanks to @jakubboucek. (#2272)
-
v0.30.1 Changes
September 26, 2020🔗 Links
Full List of Changes
🚀 This release contains the following fixes and changes:
- ⚡️ Updated translations. (#2262)
- ⚡️ Updated settings header bar to adapt better for longer-text languages. (#2265)
- 💅 Updated callout link formatting to use callout text style rather than theme color. Thanks to @alexmannuk. (#2233, #303)
- ⚡️ Updated Book export content so that page includes are parsed. Thanks to @mr-vinn. (#2227, #2228)
- 🛠 Fixed issue where the markdown editor preview pane would be empty. (#2280)
- 🛠 Fixed incorrect spelling of "Ubuntu Mono" font definition. Thanks to @abulgatz. (#2274)
- 🛠 Fixed incorrect
AddActivityIndexes
migration 'down' action. Thanks to @gertjankrol. (#2268) - 🛠 Fixed unexpected scroll bars on code blocks. (#2267)
- 🛠 Fixed issue where notification would not shown upon SAML login where there's an existing non-matching user. (#2263)
-
v0.30.0 Changes
September 20, 2020🔗 Links
⚡️ Update Notices
🔒 Security Notice - Possible Privilege Escalation
Thanks to @Defelo
it was advised that current privilege escalation situations are not made clear when applying role permissions.
Any user with a "Manage app settings", "Manage users" or "Manage roles & role permissions" system permission
assigned to one of their roles could technically alter their own permissions to gain wider access.
💻 A clear advisory of these cases has been added in the UI in v0.30
but admins are advised to review which users have these permissions with the above in mind.LDAP & SAML Group Matching - Potential Change
Thanks to @nem1989 it was found that
BookStack roles would be matched to LDAP/SAML groups based upon the role display name, which is expected,
but only those roles with a matching "name" value would be considered for this matching. This "name" field was redundant,
🚚 and has now been removed, but it would store a cleaned version the first-set name of the role.
🔀 All roles will now be considered before being matched on name which may mean that roles which did not sync before,
🔀 that would have been expected to based on their name, may now start to sync.Full List of Changes
- ➕ Added API endpoints for chapters.
- ➕ Added audit log to the settings area. (#2173, #1167)
- ➕ Added the ability to insert an attachment link directly into the current editor window. (#1460)
- ➕ Added session-based code-block editor auto-save to prevent potential loss of content. (#1398)
- ➕ Added warning wording around role system permissions to indicate what permissions could allow privilege escalation. (#2105)
- ➕ Added the ability to log login failures to a file. Thanks to @benrubson. (#1881, #728)
- ⚡️ Updated Simplified Chinese translations. Thanks to @Honvid. (#2157)
- 🐎 Updated WYSIWYG editor css to put editor in it's own layer to improve degraded dark mode performance. (#2154)
- ⚡️ Updated Czech translations. Thanks to @jakubboucek. (#2238)
- ⚡️ Updated permission system so that the permission map table does not contain ID's since database limits could be met in scenarios where permissions were automatically refreshed on a frequent basis. (#2091)
- ⚡️ Updated to role table in the database to remove a redundant name field which fixes issue where changing a role name would not change the name used to match with LDAP groups. (#2032)
- ⚡️ Updated URL slug generation to achieve a much cleaner result when non-ascii characters are used. Thanks to @drzippie. (#2165, #2026, #1765)
- ⚡️ Updated error reporting so that not-found errors are not written to the log, causing logs to fill much quicker than expected. (#2110)
- 💅 Updated dark mode styles to remove filters applied to images so that they display as expected. (#2045)
- ✂ Removed Vue.js from project & started standardisation of custom basic component system. (#2202)
- Replaced dev usage of node-sass with dart-sass. Thanks to @timoschwarzer. (#2166)
- 🛠 Fixed issue where, upon role delete, users would not be migrated when specified to during role delete flow. (#2211)
- 🛠 Fixed issue where the system would error on upload of images that contain a hash in the name. (#2161)
- 🛠 Fixed scenario where page drafts would show as saved where request would actually fail, leading to loss of data. Added a browser-side storage mechanism for emergency use. (#2150)
- 🛠 Fixed issue where LDAP groups would not sync on initial login due to the email confirmation system taking over before the group sync would run. (#2082)
- 🛠 Fixed issue where the redirect upon login could lead to an external site. (#2073)
- 🛠 Fixed low visibility of horizontal lines when dark mode is in use. (#2209)
- 🛠 Fixed issue where HTML entities would be seen in page preview content. Thanks to @mr-vinn. (#2257, #2114)
- 🛠 Fixed issue where previous page content would be indexed upon save instead of the fresh content. (#2042)
- 🛠 Fixed issue where an error would be thrown on SAML logout request from the IdP. (#2002)
- 🛠 Fixed bad pagination styling which would result in invisible numbering. (#1839)
- 🛠 Fixed incorrect and misleading behaviour when saving a comment with no content. (#1836)
-
v0.29.3 Changes
May 12, 2020🚀 Security Release
🚀 This release addresses issue #2111 where the name of a restricted book could be viewed by non-authorised users when the book was on a shelf, and the shelves were viewed in "List View". This could expose book names to those that did not have permission to see them, when part of a shelf.
-
v0.29.2 Changes
May 02, 2020🚀 Security Release
🚀 This release addresses vulnerabilities in the comment system. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines.
This most impacts scenarios where not-trusted users are given permission to create comments.
⬆️ After upgrading, The command
php artisan bookstack:regenerate-comment-content
should be ran to remove any pre-existing dangerous content. -
v0.29.1 Changes
April 28, 2020🔗 Links
Full List of Changes
🚀 This release contains the following fixes and changes:
- ➕ Added multi-item select to the book-sort interface. (#2067)
- ⚡️ Updated authentication system to prevent admins being logged out when changing authentication type, useful when setting up LDAP or SAML. (#2031)
- ⚡️ Updated editor focus so that the title is ready-selected if the default, otherwise the editor is focused. (#2036)
- ⚡️ Updated translations for Dutch, Korean, French, Turkish, Spanish. Thanks to Crowdin Users. (#2028, #2071)
- 🛠 Fixed issue where callout styles could not be cycled through via shortcut when in-callout formatting was selected in the editor. (#2061)
- 🛠 Fixed issue where the selection area was not visible in code blocks or the markdown editor when using dark mode. (#2060)
- 🛠 Fixed issue where callouts and code blocks would overlap floated images. (#2055)
- 🛠 Fixed issue where no notification would show on an LDAP Login when email already exists. (#2048)
- 🛠 Fixed API issue where "total" on a listing response would be incorrect when an offset was given. (#2043)
-
v0.29.0 Changes
April 13, 2020🔗 Links
Full List of Changes
- ➕ Added a user-selectable dark-mode option. (#2022, #1234)
- ➕ Added the ability to define a custom draw.io URL and therefore use a custom instance if preferred. (#826)
- ➕ Added grid-view support, with toggle, to the shelf view. Thanks to @philjak. (#1755, #1221)
- ➕ Added a list of bookshelves that a book belongs when viewing a book. Thanks to @cw1998. (#1688, #1598)
- ➕ Added a new command to update your BookStack URL in the database. (#1225)
- ➕ Added shelf API endpoints. Thanks to @osmansorkar. (#1908)
- ➕ Added book-export API endpoints.
- ⚡️ Updated password reset flows to avoid indicating if a email is in use within the system. (#2016)
- ⚡️ Updated WYSIWYG entity-link-insert to set link text to entity name, if input is empty. (#2014)
- 💅 Updated styles with better RTL support through the use of CSS logical properties/values. (#2003)
- ⚡️ Updated the name of saved drawings to not include the user's name, to prevent issues with non-standard characters. (#1993)
- ✂ Removed BMP and TIFF from the list of allows image upload types since these could not be resized properly. (#1990)
- ⚡️ Updated code-block insert to handle focus, so code blocks can be inserted smoothly via keyboard alone. (#1972)
- ⚡️ Updated namespacing used in tests to avoid warnings on recent versions of composer. (#1924)
- ⚡️ Updated Chinese translations. Thanks to @jzoy. (#2023)
- ⚡️ Updated translations for Turkish, Slovenian, Swedish, Spanish, Italian, Russian, German Informal, German, French, Chinese Simplified, Portuguese, Brazilian & Hungarian. Thanks to Crowdin Users.
- ⚡️ Updated default .htaccess to allow Authorization header for API usage. Thanks to @osmansorkar. (#1908)
- ⚡️ Updated GitHub authorization library to avoid use of deprecated auth methods. (#1879)
- 🛠 Fixed issue where ordered list numbers could be cut-off. This was most apparent on Safari.(#1978)