Release v1.4.0 - Hardening the attachment preview, Google Cloud Storage and Oracle database support & adding new translations

[elrido]

This release improves the safety of the SVG attachment preview, adds Google Cloud Storage and Oracle database support, and new translations.

This minor release addresses a security issue with the SVG attachment preview, adds support for Google Cloud Storage (GCS) and Oracle databases, adds four new languages to the translations and includes updated libraries.

The storage system got reworked as part of the new Google Cloud Storage class and when not using the default file storage, the server salt and purge and traffic limiter items are now stored as part of the selected storage backend. It is now possible to run PrivateBin with database or GCS backend without requiring any write access to the data directory - automatic migrations run the first time any of these get accessed and found to be still present in the filesystem.

Benefits of switching to the new release

We recommend to upgrade 1.3.x instances to improve the resolved security issues. At the very minimum, please update your CSP headers in the configuration file to our currently recommended settings. You can check the headers of your instance via our new instance check service.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.3.5

• ADDED: Translations for Corsican, Estonian, Finnish and Lojban
• ADDED: new HTTP headers improving security (New security headers #765)
• ADDED: Download button for paste text (Add download button (for paste text) #774)
• ADDED: Opt-out of federated learning of cohorts (FLoC) (Opt-Out of Google FloC #776)
• ADDED: Configuration option to exempt IPs from the rate-limiter (Make it possible to exempt ips from the rate-limiter #787)
• ADDED: Google Cloud Storage backend support (Add Google Cloud Storage support #795)
• ADDED: Oracle database support (Running PrivateBin on Oracle database #868)
• ADDED: Configuration option to limit paste creation and commenting to certain IPs (Usage Control #883)
• ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
• ADDED: Sanitize SVG preview, preventing script execution in instance context
• CHANGED: Language selection cookie only transmitted over HTTPS (Secure flag for 'lang' cookie #472)
• CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21, Showdown 2.0.3 & zlib 1.2.12
• CHANGED: Removed automatic .ini configuration file migration (Each request generates a warning when the CONFIG_PATH points to a secret directory mount in Cloud Run #808)
• CHANGED: Removed configurable dir for traffic & purge limiters (Implement data storage method for storing traffic limiter, salt etc. in DB, not data dir #419)
• CHANGED: Server salt, traffic and purge limiter now stored in the storage backend (Implement data storage method for storing traffic limiter, salt etc. in DB, not data dir #419)
• CHANGED: Drop support for attachment download in IE
• FIXED: Error when attachments are disabled, but paste with attachment gets displayed

Help wanted & greatly appreciated

Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.

If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools that should get you started.

Plans for future releases

The next regular release will focus on user interface improvements.

---

This discussion was created from the release Release v1.4.0 - Hardening the attachment preview, Google Cloud Storage and Oracle database support & adding new translations.