Kallithea 0.6.3 released

This minor release fixes/mitigates two security vulnerabilities and fixes some minor bugs. We advise all users to upgrade as soon as possible.

This release fixes a cross-site scripting (XSS) vulnerability in Kallithea itself, and mitigates a server-side request forgery (SSRF) vulnerability in git. Please refer to our Security section for more details.
Thanks to stypr of Flatt Security for reporting both vulnerabilities.

In addition to the aforementioned security issues, this release also fixes some other bugs and adds some additional robustness in certain areas. See 'Changes' below for a list of changes most relevant to users.

Upgrading

Please refer to the documentation for upgrade instructions.

There are no specific attention points when upgrading from 0.6.2 to 0.6.3.

If you are upgrading from a version before 0.6.0, do generate a new configuration file and update your database via alembic (see the upgrade instructions for details).

Changes

Below are the most relevant changes between 0.6.2 and 0.6.3. Note that it is not a complete list: some changes are purely internal refactoring. Please refer to the source repository if you are interested in full details.

Configuration file (ini)

• change template to use celery 4 setting name celery.result_backend ^cs

User interface functionality

Diff

• make sure that trailing tabs are indicated (backported from default branch) ^cs

Front-end

• use bin path for node commands instead of .bin ^cs

Repositories and Repository Groups

• fix HTML markup of repository group descriptions ^{cs, security info}
• extra escape of names when used in select drop-downs ^cs
• fix select of parent group when adding repository group ^cs
• extra HTML escaping of repository and repository group names shown in DataTables ^cs

Version control systems support

Git

• fix interaction with certain git clients ^{cs, thread}
• consistently block git URLs with + schemes ^cs
• disallow odd characters in path of git:// URLs ^{cs, security info}

Thanks

We would like to thank everyone that contributed to the Kallithea repository since release 0.6.2 (the numbers are the amount of commits)...

9 Mads Kiilerich
2 Thomas De Schampheleire

... as well as everyone contributing in other ways, e.g. by testing, reporting issues, discussing via mail or IRC, etc.

Again, a special thanks to stypr of Flatt Security for reporting the security issue.