v0.3.4

conduwuit

Release 0.3.4

Hi everyone! conduwuit 0.3.4 has been released. This is a small maintenance release in preparation for the upcoming v0.4.0 release later this week. No new features were added.

conduwuit was officially added to Complement, and support for running the Content-Disposition safety tests was added there too. (matrix-org/complement#723)

Through those Complement tests, we found one more edge-case Content-Type being allowed as inline (image/svg+xml) and currently we now pass all 3 Content-Disposition Complement tests after fixing that.

In addition, we now fully distrust the client or remote server's Content-Type for all media (uploads, thumbnails, and downloads) and return what we detected the file is (with a valid fallback to application/octet-stream).

Both of these further improve client security by making sure we detect the true file fully, and we send the correct behaviour to web browsers.

The Debian packaging has been fixed as it's been broken for a while and partially in upstream, some CI improvements were made, and cleaned up some documentation and example configs in our repo.

Commit history: v0.3.3...v0.3.4

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

v0.3.3

conduwuit

Release 0.3.3

Hi everyone! conduwuit 0.3.3 has been released. This is a security-enhancement focused release along with lots of bug fixes and a new moderation feature.

List of changes include:

• Send a strong^[1] Content-Security-Policy HTTP header for all conduwuit response headers if not already present
• Send various other security-related HTTP headers such as X-Content-Type-Options: nosniff, X-XSS-Protection: 0^[2], X-Frame-Options: DENY, Origin-Agent-Cluster: ?1^[3], and Permissions-Policy: interest-cohort=(),browsing-topics=()
• Perform additional sanitisation on the filename for the Content-Disposition (this was already being URL-safe encoded, but we perform our own ad-hoc sanitisation for improved security)
• Return inline Content-Disposition based on our own detection of the file type, only return inline on user multi-media MIME types, and not trust the Content-Type header. Always fallback to attachment
• Fix user /report's incorrectly saying you are not in the room
• Fix non-functional unbans due to broken upstream code
• Moderation feature to automatically deactivate the accounts of any users who attempt to join any malicious room based on your global ACLs, banned rooms, etc
• Don't send the avatar_url or user display name on ban events as they may be potentially offensive
• Forget all the rooms when leaving all rooms for a user upon account deactivation
• Resolve various arithmetic and type casting correctness
• Fix user presence statuses showing up as empty strings (noticeable in at least FluffyChat as empty white pills on users)
• Fix incorrect appservice namespace alias check
• Lots and lots of documentation revamps and improvements, also link to transfem.dev's rules document, and add a contributing guide
• Fix using conduwuit on NixOS without flakes
• Enable io_uring/liburing as a default feature for performance improvements
• Bump all the dependencies, and bump the MSRV to 1.77.0

[1]: sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self'; frame-ancesors 'none'; (Note this only affects the content being loaded, not what's loading the content. Images should not have permission to execute JavaScript or across same-origin content to attempt XSS)
[2]: Vulnerabilities caused by XSS filtering
[3]: This is a browser sandbox security feature by requesting your browser to render content in their own dedicated isolated process, apart of improved origin isolation

The addition of these security headers such as the CSP are not only apart of Matrix spec as a recommendation, untrusted user-uploaded content should be heavily isolated and sandboxed from, and not allowed any permissions, as a general recommendation (e.g. XMPP's XEP-0363). This is in response to the previous high severity security release to not only retain the filename as apart of the Content-Disposition header for browsers, we can still provide the improved UX of allowing inline Content-Disposition for user multi-media (images, videos, audio, etc) and still make sure the user is as secure as possible from any XSS concerns or exploits via the various HTTP security headers.

Commit history: v0.3.2...v0.3.3

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

v0.3.2

This is a security release.

The Content-Disposition HTTP header has always been set to inline which causes untrusted content opened in browsers to be rendered, including HTML files, instead of downloading. This release forces them to all be attachment. This has no impact on Matrix clients.

Users who use a restrictive Content-Security-Policy are not affected by any XSS concerns here.

v0.3.1

conduwuit

Release 0.3.1

Hi everyone! conduwuit 0.3.1 has been released. This is a minor maintenance follow-up to last week's release which was very well received by many new users. This week was mostly cleanup, improvements, and some bug fixes. Some of the changes include:

• Add Complement testing support to CI.
• Optimize RocksDB compaction to further reduce database file count.
• Improve concurrency on single-core systems.
• Fix presence status results from /presence/{userId}/status. (/sync results unaffected).
• Nix flake fixes and improvements; cache dependencies in binary cache and improve build performance.
• Workaround room creation requests with non-spec compliant initial_state bodies (source was an appservice).
• Start uploading container images to GitLab Container Registry.
• Bump all the dependencies everywhere (maintenance)
• General code cleanups, minor optimisations, and maintenance refactors before we transition out of feature-freeze and prepare for the next major release.

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

v0.3.0

The "first" official stable tagged release of conduwuit!

what is conduwuit?

conduwuit is a well-maintained, featureful, hard-fork of Conduit with tons of new features, many bug fixes, huge performance improvements, quality of life enhancements, moderation tools, and much more. It's fully database compatible with upstream, no migration path is necessary. You can switch between the two with no issues. Check out the full list of differences and features here! https://conduwuit.puppyirl.gay/differences.html

First ever TWIM post: https://matrix.org/blog/2024/04/26/this-week-in-matrix-2024-04-26/#conduwuit-website