We had a security audit recently, thanks to NLNet / NGI Zero and Radically Open Security. This release fixes a load of security issues that were found in the audit, many of which fix other bugs at the same time.
The biggest obvious change is that you should now set PUID and PGID environment variables to specify which user and group Manyfold should run as - before, it would run as root because that's what Docker does by default, and that's obviously a security risk. If you don't set those variables, it will continue to run as root, but it will warn you loudly until you change it! Don't forget to make sure that your libraries are writable by the user you choose!
Visit our new Security page for more details on these and other new options to make your instances more secure!
What's Changed
✨ New Features ✨
- Show admins a security alert if container is being run as root by @Floppy in #2252
- Add PUID and PGID env vars to control which user the app runs as by @Floppy in #2253
- Lock accounts temporarily after too many failed login attempts by @Floppy in #2254
- Show free space in upload selector and library details (for admins only) by @Floppy in #2260
- Limit file upload size by @Floppy in #2266
- Add HTTPS_ONLY env option to force secure-only connections by @Floppy in #2275
- Limit size of extracted files on upload by @Floppy in #2281
🐛 Bug Fixes 🐛
- Restrict problem viewing to contributors, not viewers by @Floppy in #2257
- Set secure flags on libarchive extraction to avoid "Zip Slip" exploits by @Floppy in #2258
- Fix upload file filter on Windows machines by @Floppy in #2261
- Fix translation linter error by @Floppy in #2262
- Avoid naming race condition on upload by @Floppy in #2268
- Stop username enumeration through password reset form by @Floppy in #2283
- Check problematic item exists when rendering problem list by @Floppy in #2289
- Allow inline style attributes in Content-Security-Policy by @Floppy in #2290
🛠️ Other Improvements 🛠️
- Check file extension before unzipping uploads by @Floppy in #2267
- Make the "remember me" cookie HTTPS-only if appropriate by @Floppy in #2276
- Completely reset user session on logout by @Floppy in #2279
- Add session timeouts to reduce session fixation/hijacking by @Floppy in #2280
- Mitigate timing attacks on user lookups by @Floppy in #2282
- Change from cocoon to cocooned by @Floppy in #2259
- Remove external jQuery and selectize scripts by @Floppy in #2285
- Reduce javascript payload with tree-shaking by @Floppy in #2286
- Add Content-Security-Policy to increase security by @Floppy in #2287
Full Changelog: v0.68.0...v0.69.0