⚠️ Security fixes
- Fix some open redirects which could help making harmful URLs look more trustworthy by linking to Indico and having it redirect the user to a malicious site (#4814, #4815)
- The
BASE_URLis now always enforced and requests whose Host header does not match are rejected. This prevents malicious actors from tricking Indico into sending e.g. a password reset link to a user that points to a host controlled by the attacker instead of the actual Indico host (#4815, GHSA-wgpj-7c2j-vfjm, CVE-2021-30185)
Note: If the webserver is already configured to enforce a canonical host name and redirects or rejects such requests, this cannot be exploited. Additionally, exploiting this problem requires user interaction: they would need to click on a password reset link which they never requested, and which points to a domain that does not match the one where Indico is running.
🎉 Improvements
- Fail more gracefully is a user has an invalid locale set and fall back to the default locale or English in case the default locale is invalid as well
- Log an error if the configured default locale does not exist
- Add ID-1 page size for badge printing (#4774, thanks @OmeGak)
- Allow managers to specify a reason when rejecting registrants and add a new placeholder for the rejection reason when emailing registrants (#4769, thanks @vasantvohra)
🐛 Bugfixes
- Fix the "Videoconference Rooms" page in conference events when there are any VC rooms attached but the corresponding plugin is no longer installed
- Fix deleting events which have a videoconference room attached which has its VC plugin no longer installed
- Do not auto-redirect to SSO when an MS office user agent is detected (#4720, #4731)
- Allow Editing team to view editables of unpublished contributions (#4811, #4812)
🔧 Internal Changes
- Also trigger the
ical-exportmetadata signal when exporting events for a whole category - Add
primary_email_changedsignal (#4802, thanks @openprojects)