v0.3.3
conduwuit
Release 0.3.3
Hi everyone! conduwuit 0.3.3 has been released. This is a security-enhancement focused release along with lots of bug fixes and a new moderation feature.
List of changes include:
- Send a strong[1]
Content-Security-Policy
HTTP header for all conduwuit response headers if not already present - Send various other security-related HTTP headers such as
X-Content-Type-Options: nosniff
,X-XSS-Protection: 0
[2],X-Frame-Options: DENY
,Origin-Agent-Cluster: ?1
[3], andPermissions-Policy: interest-cohort=(),browsing-topics=()
- Perform additional sanitisation on the
filename
for theContent-Disposition
(this was already being URL-safe encoded, but we perform our own ad-hoc sanitisation for improved security) - Return
inline
Content-Disposition based on our own detection of the file type, only returninline
on user multi-media MIME types, and not trust theContent-Type
header. Always fallback toattachment
- Fix user
/report
's incorrectly saying you are not in the room - Fix non-functional unbans due to broken upstream code
- Moderation feature to automatically deactivate the accounts of any users who attempt to join any malicious room based on your global ACLs, banned rooms, etc
- Don't send the avatar_url or user display name on ban events as they may be potentially offensive
- Forget all the rooms when leaving all rooms for a user upon account deactivation
- Resolve various arithmetic and type casting correctness
- Fix user presence statuses showing up as empty strings (noticeable in at least FluffyChat as empty white pills on users)
- Fix incorrect appservice namespace alias check
- Lots and lots of documentation revamps and improvements, also link to transfem.dev's rules document, and add a contributing guide
- Fix using conduwuit on NixOS without flakes
- Enable io_uring/liburing as a default feature for performance improvements
- Bump all the dependencies, and bump the MSRV to 1.77.0
[1]: sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self'; frame-ancesors 'none';
(Note this only affects the content being loaded, not what's loading the content. Images should not have permission to execute JavaScript or across same-origin content to attempt XSS)
[2]: Vulnerabilities caused by XSS filtering
[3]: This is a browser sandbox security feature by requesting your browser to render content in their own dedicated isolated process, apart of improved origin isolation
The addition of these security headers such as the CSP are not only apart of Matrix spec as a recommendation, untrusted user-uploaded content should be heavily isolated and sandboxed from, and not allowed any permissions, as a general recommendation (e.g. XMPP's XEP-0363). This is in response to the previous high severity security release to not only retain the filename
as apart of the Content-Disposition header for browsers, we can still provide the improved UX of allowing inline
Content-Disposition for user multi-media (images, videos, audio, etc) and still make sure the user is as secure as possible from any XSS concerns or exploits via the various HTTP security headers.
Commit history: v0.3.2...v0.3.3
GitHub Releases | Docker Hub | NixOS
Liberapay | GitHub Sponsors | Ko-fi
Chat with us in #conduwuit:puppygock.gay