This minor release fixes/mitigates two security vulnerabilities and fixes some minor bugs. We advise all users to upgrade as soon as possible.
This release fixes a cross-site scripting (XSS)
vulnerability in Kallithea
itself, and mitigates a server-side request forgery (SSRF)
vulnerability in
git
. Please refer to our Security section for more details.
Thanks to stypr of Flatt Security for reporting both vulnerabilities.
In addition to the aforementioned security issues, this release also fixes some other bugs and adds some additional robustness in certain areas. See 'Changes' below for a list of changes most relevant to users.
Upgrading
Please refer to the documentation for upgrade instructions.
There are no specific attention points when upgrading from 0.6.2 to 0.6.3.
If you are upgrading from a version before 0.6.0, do generate a new configuration file and update your database via alembic (see the upgrade instructions for details).
Changes
Below are the most relevant changes between 0.6.2 and 0.6.3. Note that it is not a complete list: some changes are purely internal refactoring. Please refer to the source repository if you are interested in full details.
Configuration file (ini)
- change template to use celery 4 setting name
celery.result_backend
cs
User interface functionality
Diff
- make sure that trailing tabs are indicated (backported from
default
branch) cs
Front-end
- use
bin
path for node commands instead of.bin
cs
Repositories and Repository Groups
- fix HTML markup of repository group descriptions cs, security info
- extra escape of names when used in select drop-downs cs
- fix select of parent group when adding repository group cs
- extra HTML escaping of repository and repository group names shown in DataTables cs
Version control systems support
Git
- fix interaction with certain git clients cs, thread
- consistently block git URLs with
+
schemes cs - disallow odd characters in path of
git://
URLs cs, security info
Thanks
We would like to thank everyone that contributed to the Kallithea repository since release 0.6.2 (the numbers are the amount of commits)...
9 Mads Kiilerich
2 Thomas De Schampheleire
... as well as everyone contributing in other ways, e.g. by testing, reporting issues, discussing via mail or IRC, etc.
Again, a special thanks to stypr of Flatt Security for reporting the security issue.