github gotenberg/gotenberg v8.32.0
8.32.0
on GitHub

5 hours ago

Breaking Changes & Security Fixes ⚠️

  • Reverted SSRF defaults (breaking vs 8.31.0). 8.31.0 blocked private-IP destinations by default, which broke deployments running Gotenberg inside a private network. 8.32.0 restores the 8.30.x permissive defaults. Operators with internet-facing APIs opt into the strict posture via the new flags below.

  • Rejected file:// at /forms/chromium/convert/url. Submitting url=file:///tmp/... used to let an unauthenticated caller enumerate the request working directory and read other in-flight uploads as rendered PDFs. The route now returns HTTP 400 for any file:// URL.

  • Required uploaded file for image / pdf stamp and watermark sources. Twelve callsites accepted stampSource=pdf or watermarkSource=pdf with an expression pointing at any path the Gotenberg process could open, even when no file was uploaded. Handlers now return HTTP 400 unless the caller uploaded a matching file.

  • Scoped file:// sub-resources to the request working directory. Crafted HTML could reference another request's file:///tmp/<reqdir>/.... The CDP request handler now restricts file:// sub-resources to the current request's directory. /convert/url and /screenshot/url reject every file:// sub-resource outright.

  • Hardened Chromium against DNS rebinding. A short-TTL DNS authority could return a public IP at validation and a private IP at connect. A loopback HTTP / CONNECT proxy now sits between Chromium and the network, resolves DNS once, and pins the dial to the resolved IP. Skipped when --chromium-proxy-server or --chromium-host-resolver-rules is set.

  • Filtered LibreOffice outbound fetches through a proxy. Uploaded OOXML, RTF, and ODF files can embed external URLs that LibreOffice's libcurl resolves below every Go-side SSRF filter. LibreOffice now routes every outbound fetch through an in-process forward proxy on the same gotenberg.DecideOutbound path Chromium and webhook delivery use. See the four new flags below.

  • Recovered webhook async panics. High-concurrency webhooks could panic the async goroutine and crash the whole process. The goroutine now snapshots the request context and recovers any future panic through the existing error path.

New Features

  • LibreOffice outbound URL filtering. Four flags mirror the Chromium and webhook layout: --libreoffice-allow-list, --libreoffice-deny-list, --libreoffice-deny-private-ips, --libreoffice-deny-public-ips. All default permissive.

  • IP-class filtering on four modules. chromium, webhook, api-download-from, and libreoffice each accept matching deny-private-ips and deny-public-ips flags. All default to false.

Flag What it does
--chromium-deny-private-ips Reject Chromium navigations and sub-resources resolving to a non-public IP.
--chromium-deny-public-ips Reject Chromium navigations and sub-resources resolving to a public IP.
--webhook-deny-private-ips Reject webhook URLs (success, error, events) resolving to a non-public IP.
--webhook-deny-public-ips Reject webhook URLs resolving to a public IP.
--api-download-from-deny-private-ips Reject downloadFrom URLs resolving to a non-public IP.
--api-download-from-deny-public-ips Reject downloadFrom URLs resolving to a public IP.
--libreoffice-deny-private-ips Reject LibreOffice outbound fetches resolving to a non-public IP.
--libreoffice-deny-public-ips Reject LibreOffice outbound fetches resolving to a public IP.

A URL matching --*-allow-list skips the IP-class check. A URL matching --*-deny-list is always rejected. Setting both deny-private-ips=true and deny-public-ips=true rejects every URL unless the allow-list matches.

Bug Fixes

  • Charts print as blank rectangles (#1531, #1532, #1534, #1535): chromedp v0.15.0 suspended the BeginFrame-driven callback dispatch loop under emulatedMediaType=print. requestAnimationFrame, ResizeObserver, IntersectionObserver, CSS transitionend, and CSS animationend all stopped firing. Pinning chromedp back to v0.14.2 restores native dispatch.

  • LibreOffice cached an unrecoverable first-start error (#1538): A short --libreoffice-start-timeout timed out the first request, then every subsequent request returned the same cached error until the container restarted. The lazy-start path now retries on failure.

Chore

  • Updated pdfcpu to v0.12.0.
  • Switched metadata read/write to direct exiftool invocation. Removes the GPL-3.0 go-exiftool dependency.
  • Bumped Go to 1.26.2.
  • Updated Go dependencies.

Thanks

Thanks to @Jalliuz (#1527) for reporting the 8.31.0 sub-resource regression. @notscottsmith (#1531), @spoltix (#1532), @rdelott-work (#1534), and @sillyas2010 (#1535) narrowed down the chromedp print-mode regression. @sillyas2010 also published the reproducer that pinned the bisect. @JeremyReist2 (#1536) flagged the go-exiftool GPL-3.0 license. @doronbehar (#1537) requested the pdfcpu upgrade. @mlafon (#1538) reported the LibreOffice supervisor cached-error bug.

Check out latest releases or
releases around gotenberg/gotenberg v8.32.0

Don't miss a new gotenberg release

NewReleases is sending notifications on new releases.

Get notifications