Security patch release addressing findings from the internal audit.
Security fixes
Backend
- B-H1: Prowlarr indexer Create/Update now validate the URL with
httpsec.ValidateOutboundURL(PolicyLAN)— prevents SSRF via attacker-controlled indexer URLs - B-H2:
sanitizePathin the file renamer strips./../empty path components;DestPathandAudiobookDestDirassert the final path stays within the configured base directory - B-H3: Backup restore and delete handlers validate filenames against
^bindery_\d{8}_\d{6}\.db$instead of loose substring checks - B-L1: Image proxy HTTP client re-validates redirect target URLs with
PolicyStrictand caps redirect chains at 5 hops
Auth / API
- F-H1: All state-changing
/api/v1requests now require theX-Requested-With: bindery-uiheader; the server rejects requests missing it with 403 — defeats classical cross-site request forgery - F-H2: Hardcover API token moved from
?token=URL query parameter toAuthorization: Bearerheader — prevents token leakage in proxy logs and browser history - B-M3: OPDS Basic-auth endpoint now goes through the login rate limiter (was unbounded before)
CI
- I-M1: All
actions/checkoutsteps setpersist-credentials: false - I-M2:
govulncheckpinned tov1.1.4instead of@latest
Upgrading
Drop-in upgrade from v0.20.0. No database migrations, no config changes required.
If you use the Hardcover import list feature, your client integrations that call /api/v1/importlist/hardcover/lists will need to pass the token as Authorization: Bearer <token> instead of ?token=<token>.