Another patch release, this time focused on security improvements from our recent audit. There are also a few bugfixes, including an important one from the last release that potentially breaks model pages for new users!
What's Changed
🔒 Security 🔒
- Obfuscate password input fields in user admin area by @Floppy in #5094
- Sanitize upload filenames to prevent path traversal by @Floppy in #5098
- Only object owners can set sharing permissions by @Floppy in #5099
- Obfuscate OAuth client secret on screen (with reveal and copy options) by @Floppy in #5100
- OIDC: Don't match accounts by unverified emails by @Floppy in #5101
- Improve and test rate limiting, including OAuth and OIDC endpoints by @Floppy in #5104
- Add explicit sanitization to fields that come in from the Fediverse by @Floppy in #5111
🐛 Bug Fixes 🐛
- Include slicer app images locally to avoid CORS errors by @Floppy in #5077
- Fix server scheme in API documentation by @Floppy in #5102
- Fix tour error on model page blocking entire UI by @Floppy in #5106
- Fix error when rendering remote actors in federated search by @Floppy in #5110
Full Changelog: v0.129.2...v0.129.3