This update to PILOS v4 adds OpenID Connect as a new authentication option and offers additional options for customizing the user interface using custom CSS. It also fixes several minor bugs and implements security recommendations and fixes that were suggested during a penetration test conducted by a German state government.
Due to the security vulnerabilities that have been fixed, we recommend installing the update as soon as possible.
To Install this version check our Getting Started Guide
⚠️ Upgrading / Breaking Change
In previous NGINX reverse proxy configuration recomendations, the Host header was not explicitly set.
Due to an undocumented change in the Laravel framework, this now results in a “Bad Request” error.
Add the following line to your NGINX configuration:
proxy_set_header Host $host;Added
- OpenID Connect authentication (#300, #2281) by @SamuelWei
- Security header X-XSS-Protection (#2519) @SamuelWei
- Security header Referrer-Policy (#2519) @SamuelWei
- Docs: HTTP Strict Transport Security (HSTS) recommendations (#2519) @SamuelWei
- Virus scan results to metrics (#2304) by @SamuelWei
- Route-specific CSS classes to frontend pages (#2496, #2497) by @SamuelWei
- Admin option to upload a custom CSS file (#2496, #2553, #2554) by @Sabr1n4W
Changed
- UX: Placeholder in room search box (#2383, #2449) by @SamuelWei
- Upgraded to Tailwind CSS v4 and migrated styles from SASS to plain CSS (#2477) by @SamuelWei and @Sabr1n4W
- PHP.ini defaults to align with OWASP recommendations (#2519) @SamuelWei
- Security header X-Frame-Options value to DENY (#2519) @SamuelWei
- Authenticator label texts and term in external authentication documentation (#2551) by @Sabr1n4W
Fixed
- Negative floating point number in room expire email (#2476, #2480) by @SamuelWei
- Infinite loading when navigating back to rooms from BBB due to bfcache (#2313, #2319) by @SamuelWei
- Broken dark mode after using room utilisation statistic dialog (#2478, #2479) by @SamuelWei
- BBB waiting room integration tests (#2517) by @SamuelWei
Security
- Regenerate session after password change (#2519) @SamuelWei
- Removed unused CORS header (#2519) @SamuelWei
- Removed PHP version header (#2519) @SamuelWei
Full Changelog: v4.7.1...v4.8.0