indico v2.3.1 Release Notes
Release Date: 2020-10-27 // over 3 years ago-
๐ โ ๏ธ Security fixes
- ๐ Fix potential data leakage between OAuth-authenticated and unauthenticated HTTP API requests for the same resource (#4663)
Note: Due to OAuth access to the HTTP API having been broken until this version, we do not believe this was actually exploitable on any Indico instance. In addition, only Indico administrators can create OAuth applications, so regardless of the bug there is no risk for any instance which does not have OAuth applications with theread:legacy_api
scope.
๐ฑ ๐ Improvements
- ๐ฆ Generate material packages in a background task to avoid timeouts or using excessive amounts of disk space in case of people submitting several times (#4630)
- Add new
EXPERIMENTAL_EDITING_SERVICE
setting to enable extending an event's Editing workflow through an OpenReferee server (#4659)
๐ ๐ Bugfixes
- โ Only show the warning about draft mode in a conference if it actually has any contributions or timetable entries
- Do not show incorrect modification deadline in abstract management area if no such deadline has been set (#4650)
- ๐ Fix layout problem when minutes contain overly large embedded images (#4653, #4654)
- Prevent pending registrations from being marked as checked-in (#4646, thanks @OmeGak)
- ๐ Fix OAuth access to HTTP API (#4663)
- ๐ Fix ICS export of events with draft timetable and contribution detail level (#4666)
- ๐ Fix paper revision submission field being displayed for judges/reviewers (#4667)
- ๐ Fix managers not being able to submit paper revisions on behalf of the user (#4667)
๐ฑ ๐ง Internal Changes
- ๐ Fix potential data leakage between OAuth-authenticated and unauthenticated HTTP API requests for the same resource (#4663)