ยซ Changelog History


CryptPad v4.7.0 Release Notes

  • Goals

    ๐Ÿš€ Our main goal for this release was to prepare a BETA version of our new forms app, however, it also includes a number of nice bug fixes and minor features.

    โšก๏ธ Update notes

    ๐Ÿš€ As this release includes a new app you'll want to compare your current NGINX config against our example (cryptpad/docs/example.nginx.conf) and update yours to match the updated sections which rewrites URLs to include trailing slashes. We've also introduced a number of new variables to our color scheme which might conflict with customizations you've made to your stylesheets. As always, it's recommended that you test your customizations on a updated non-production instance before deploying.

    ๐Ÿš€ We've been steadily adding new tests to our recently developed checkup page each time we observe particular types of instance misconfigurations in the wild. Unfortunately, it seems the admins that have the most trouble with instance configuration are those that haven't read the numerous mentions of this page throughout the last few release notes. For that reason we've made it so the server prints a link to this page at launch time if it detects that some important value is left unconfigured.

    ๐Ÿ”ง On the topic of instance configuration, admins that have enabled their instance's admin panel may notice that it contains a new "Network" tab. On this pane you may find a button that links to the instance's checkup page to make it even easier to identify configuration problems. You should also notice options for configuring a number of values, some of which could previously only be set by modifying the server's configuration file and restarting.

    • ๐Ÿ”Š One checkbox allows you to opt out of the server telemetry which tells our server that your server exists. This is mostly so that we have a rough idea of how many admins are running CryptPad and what version they have installed. It was clearly documented in the config file, but now it's even easier to opt out if you don't want us to know you exist. In the interest of transparency, everything that is sent to our server as a part of this telemetry is also printed to your application server's logs, so you always check what information has been shared.
    • Another setting opts in to listing your server in public directories. At present there is no public directory of CryptPad instances that are suitable for public use, but we plan to launch one in the coming months. For now this checkbox will serve to inform us how many instance admins are interested in offering their server to the public. This setting will have no effect if you've disabled telemetry as that is how your server informs ours of your preferences. We reserve the right to exclude instances from our listing for any reason.
    • ๐Ÿ”’ A third option allows admins to consent to be contacted by email. We aren't interested in spamming anyone with marketing email, rather, it's so that we can inform administrators of vulnerabilities in the software before they are publicly disclosed. Leave this unchecked if you prefer to be surprised by security flaws.
    • ๐Ÿ’ป The option to disable crowdfunding notices in the UI can be disabled via a simple checkbox.
    • ๐Ÿš€ Starting with our next release (4.8.0) anyone running 4.7.0 should also notice that a button appears on this pane informing them that an update is available. We regularly fix security flaws and improve general safeguards against them, so if you aren't up to date you might be putting your users' data at risk.

    โšก๏ธ To update from 4.6.0 to 4.7.0:

    ๐Ÿ”ง 1. Apply the documented NGINX configuration

    1. Stop your server โœ… 3. Get the latest code with git โšก๏ธ 4. Install the latest dependencies with bower update and npm i
    2. Restart your server

    Please note that the new Forms app depends on an update to our cryptography library. If you omit bower update from the upgrade sequence above, the app will not work.

    ๐Ÿ”‹ Features

    • This release introduces our new Forms app. This app allows users to create complex forms and to collect answers. Three roles are available with granular permissions:

      • Authors can collaboratively create surveys with different types of questions and generate links to share with participants.
      • Participants can respond to forms and view responses if these are made public (this can be set by authors).
      • Auditors can view responses, but cannot necessarily add their own answers unless they have the correct participant key.

    This new app addresses many of the shortcomings of our current Polls and vastly expands the feature set. Polls are effectively one of the many question types now available in Forms. For this reason we are deprecating the Polls app. It will remain available to view and respond to existing polls, but we discourage the creation of new polls and all future improvements will be focused on Forms.

    • In response to a GitHub issue we've added an option to the toolbar's File menu to add the current pad to your drive regardless of whether it is already stored in one of your teams' drives.
    • 0๏ธโƒฃ Likewise, we received some reports that some users found it frustrating that the home page automatically redirected them to their drive when they were logged in. We've disabled this behaviour by default but added an option in the settings page through which you may re-enable the old behaviour. This can be found at the top of the "CryptDrive" pane.
    • Embedded markdown editors' toolbars (such as that in the kanban and form apps) now include an "embed file" option.
    • ๐Ÿ‘ We've revised some text on the checkup page to better explain what some headers do and how to correct them.
    • ๐Ÿ–จ Some error messages printed by the server under rare conditions now include a little more debugging information.
    • ๐Ÿ’ป We've improved some of the UI of the "report" page (which diagnoses possible reasons why your drive, shared folders, or teams might be failing to load now includes) so that users can now copy the output of the report directly to their clipboard instead of having to select that page's text and use their OS's copy to clipboard functionality.

    ๐Ÿ› Bug fixes

    • ๐Ÿ‘ The home page now displays the appropriate text ("Features" or "Pricing") for the features page depending on whether the instance in question supports subscriptions. We had made some changes to this before but missed an instance where the text was displayed.
    • ๐Ÿ‘ The admin page will now display the "General" pane if for some reason the hash in its URL does not contain a supported value.
    • ๐Ÿ’ป We found that there were two cases where localForage (a library that manages an in-browser cache) could throw a DOMExceptionerror because we didn't supply a handler. This caused the calendar app's UI to incorrectly treat a newly created event as though it had not been saved.
    • ๐Ÿ›  A user brought it to our attention that the share menu was returning incorrect URLs for password-protected files. This has now been fixed.
    • The code that is responsible for preserving your cursor position when using the code editor collaboratively was capable of interfering with active scrolling when other users' edits were applied. This is now handled more gracefully. Another fix addresses an issue that prevented the markdown preview pane from being resized under certain conditions.
    • Finally, as a part of a routine security scan funded by NLnet and executed by Radically Open Security it was discovered that an unsanitized account name was displayed in the users own toolbar. As a consequence, users could trigger a cross-site scripting vulnerability on themself by entering <script>alert("pew")</script> for their username at registration time. On a correctly configured instance this was blocked everywhere except in the sheet editor due to its more lax Content-Security Policy. This unsanitized value was never displayed for remote accounts, so the impact is extremely limited. Even so, we recommend that you update.