BookStack Beta v0.30.5

Security Release

• Update Instructions
• Vulnerability Report: Server Side Request Forgery Through Content Exports
• Update details on blog

Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability. You should ensure you've set the APP_URL option in your .env file to prevent likelihood of the phishing attack. Please view the above report or blogpost links for more detail.

BookStack Beta v0.30.4

Security Release

• Update Instructions
• Vulnerability Reports:
  • Cross-Site Scripting and Redirects Through Page Content
  • Cross-Site Scripting Through Link Attachments
• Update details on blog

This release addresses XSS and user-injected auto-redirect vulnerabilities within the page content & attachment components of BookStack. These are primarily a concern if untrusted users can edit content on your BookStack instance. Please view the above report or blogpost links for more detail.

BookStack Beta v0.30.3

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added VBScript syntax highlighting to the code block editor. Thanks to @nutsflag. (#2302, #2255)
• Fixed issue where drawings would not save in the Markdown editor. (#2313, #2321)
• Updated some Spanish and Chinese translations. (#2303)

BookStack Beta v0.30.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated JavaScript build system to provide slightly better browser compatibility.
• Updated page-content save parsing to update anchor references on IDs changed by BookStack. (#2278)
• Fixed issue where creating a link attachment after mulitple validation failures would result in many duplicate links being created. (#2286)
• Updated drawing integration to, by default, use diagrams.net instead of draw.io. (#2285, #2044)
• Updated default .htaccess to align with laravel's and allow canonical redirects on non-root url app instances. Thanks to @jakubboucek. (#2272)

BookStack Beta v0.30.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations. (#2262)
• Updated settings header bar to adapt better for longer-text languages. (#2265)
• Updated callout link formatting to use callout text style rather than theme color. Thanks to @alexmannuk. (#2233, #303)
• Updated Book export content so that page includes are parsed. Thanks to @mr-vinn. (#2227, #2228)
• Fixed issue where the markdown editor preview pane would be empty. (#2280)
• Fixed incorrect spelling of "Ubuntu Mono" font definition. Thanks to @abulgatz. (#2274)
• Fixed incorrect AddActivityIndexes migration 'down' action. Thanks to @gertjankrol. (#2268)
• Fixed unexpected scroll bars on code blocks. (#2267)
• Fixed issue where notification would not shown upon SAML login where there's an existing non-matching user. (#2263)

BookStack Beta v0.30.0

Links

• Update instructions
• Update details on blog

Update Notices

Security Notice - Possible Privilege Escalation

Thanks to @Defelo
it was advised that current privilege escalation situations are not made clear when applying role permissions.
Any user with a "Manage app settings", "Manage users" or "Manage roles & role permissions" system permission
assigned to one of their roles could technically alter their own permissions to gain wider access.
A clear advisory of these cases has been added in the UI in v0.30
but admins are advised to review which users have these permissions with the above in mind.

LDAP & SAML Group Matching - Potential Change

Thanks to @nem1989 it was found that
BookStack roles would be matched to LDAP/SAML groups based upon the role display name, which is expected,
but only those roles with a matching "name" value would be considered for this matching. This "name" field was redundant,
and has now been removed, but it would store a cleaned version the first-set name of the role.
All roles will now be considered before being matched on name which may mean that roles which did not sync before,
that would have been expected to based on their name, may now start to sync.

Full List of Changes

• Added API endpoints for chapters.
• Added audit log to the settings area. (#2173, #1167)
• Added the ability to insert an attachment link directly into the current editor window. (#1460)
• Added session-based code-block editor auto-save to prevent potential loss of content. (#1398)
• Added warning wording around role system permissions to indicate what permissions could allow privilege escalation. (#2105)
• Added the ability to log login failures to a file. Thanks to @benrubson. (#1881, #728)
• Updated Simplified Chinese translations. Thanks to @Honvid. (#2157)
• Updated WYSIWYG editor css to put editor in it's own layer to improve degraded dark mode performance. (#2154)
• Updated Czech translations. Thanks to @jakubboucek. (#2238)
• Updated permission system so that the permission map table does not contain ID's since database limits could be met in scenarios where permissions were automatically refreshed on a frequent basis. (#2091)
• Updated to role table in the database to remove a redundant name field which fixes issue where changing a role name would not change the name used to match with LDAP groups. (#2032)
• Updated URL slug generation to achieve a much cleaner result when non-ascii characters are used. Thanks to @drzippie. (#2165, #2026, #1765)
• Updated error reporting so that not-found errors are not written to the log, causing logs to fill much quicker than expected. (#2110)
• Updated dark mode styles to remove filters applied to images so that they display as expected. (#2045)
• Removed Vue.js from project & started standardisation of custom basic component system. (#2202)
• Replaced dev usage of node-sass with dart-sass. Thanks to @timoschwarzer. (#2166)
• Fixed issue where, upon role delete, users would not be migrated when specified to during role delete flow. (#2211)
• Fixed issue where the system would error on upload of images that contain a hash in the name. (#2161)
• Fixed scenario where page drafts would show as saved where request would actually fail, leading to loss of data. Added a browser-side storage mechanism for emergency use. (#2150)
• Fixed issue where LDAP groups would not sync on initial login due to the email confirmation system taking over before the group sync would run. (#2082)
• Fixed issue where the redirect upon login could lead to an external site. (#2073)
• Fixed low visibility of horizontal lines when dark mode is in use. (#2209)
• Fixed issue where HTML entities would be seen in page preview content. Thanks to @mr-vinn. (#2257, #2114)
• Fixed issue where previous page content would be indexed upon save instead of the fresh content. (#2042)
• Fixed issue where an error would be thrown on SAML logout request from the IdP. (#2002)
• Fixed bad pagination styling which would result in invisible numbering. (#1839)
• Fixed incorrect and misleading behaviour when saving a comment with no content. (#1836)

BookStack Beta v0.29.3

Security Release

• Update Instructions
• Vulnerability Report

This release addresses issue #2111 where the name of a restricted book could be viewed by non-authorised users when the book was on a shelf, and the shelves were viewed in "List View". This could expose book names to those that did not have permission to see them, when part of a shelf.

BookStack Beta v0.29.2

Security Release

• Update Instructions
• Vulnerability Report

This release addresses vulnerabilities in the comment system. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines.

This most impacts scenarios where not-trusted users are given permission to create comments.

After upgrading, The command php artisan bookstack:regenerate-comment-content should be ran to remove any pre-existing dangerous content.

BookStack Beta v0.29.1

Links

• Update instructions
• Update details on blog

Full List of Changes

This release contains the following fixes and changes:

• Added multi-item select to the book-sort interface. (#2067)
• Updated authentication system to prevent admins being logged out when changing authentication type, useful when setting up LDAP or SAML. (#2031)
• Updated editor focus so that the title is ready-selected if the default, otherwise the editor is focused. (#2036)
• Updated translations for Dutch, Korean, French, Turkish, Spanish. Thanks to Crowdin Users. (#2028, #2071)
• Fixed issue where callout styles could not be cycled through via shortcut when in-callout formatting was selected in the editor. (#2061)
• Fixed issue where the selection area was not visible in code blocks or the markdown editor when using dark mode. (#2060)
• Fixed issue where callouts and code blocks would overlap floated images. (#2055)
• Fixed issue where no notification would show on an LDAP Login when email already exists. (#2048)
• Fixed API issue where "total" on a listing response would be incorrect when an offset was given. (#2043)

BookStack Beta v0.29.0

Links

• Update instructions
• Update details on blog

Full List of Changes

• Added a user-selectable dark-mode option. (#2022, #1234)
• Added the ability to define a custom draw.io URL and therefore use a custom instance if preferred. (#826)
• Added grid-view support, with toggle, to the shelf view. Thanks to @philjak. (#1755, #1221)
• Added a list of bookshelves that a book belongs when viewing a book. Thanks to @cw1998. (#1688, #1598)
• Added a new command to update your BookStack URL in the database. (#1225)
• Added shelf API endpoints. Thanks to @osmansorkar. (#1908)
• Added book-export API endpoints.
• Updated password reset flows to avoid indicating if a email is in use within the system. (#2016)
• Updated WYSIWYG entity-link-insert to set link text to entity name, if input is empty. (#2014)
• Updated styles with better RTL support through the use of CSS logical properties/values. (#2003)
• Updated the name of saved drawings to not include the user's name, to prevent issues with non-standard characters. (#1993)
• Removed BMP and TIFF from the list of allows image upload types since these could not be resized properly. (#1990)
• Updated code-block insert to handle focus, so code blocks can be inserted smoothly via keyboard alone. (#1972)
• Updated namespacing used in tests to avoid warnings on recent versions of composer. (#1924)
• Updated Chinese translations. Thanks to @jzoy. (#2023)
• Updated translations for Turkish, Slovenian, Swedish, Spanish, Italian, Russian, German Informal, German, French, Chinese Simplified, Portuguese, Brazilian & Hungarian. Thanks to Crowdin Users.
• Updated default .htaccess to allow Authorization header for API usage. Thanks to @osmansorkar. (#1908)
• Updated GitHub authorization library to avoid use of deprecated auth methods. (#1879)
• Fixed issue where ordered list numbers could be cut-off. This was most apparent on Safari.(#1978)