Skip to content

Update to v26.03.4#10

Open
rbertram90 wants to merge 408 commits into
assettv:releasefrom
BookStackApp:release
Open

Update to v26.03.4#10
rbertram90 wants to merge 408 commits into
assettv:releasefrom
BookStackApp:release

Conversation

@rbertram90

Copy link
Copy Markdown

No description provided.

ssddanbrown and others added 30 commits December 24, 2025 11:51
Checks files within the ZIP again the app upload file limit
before using/streaming/extracting, to help ensure that they do no exceed
what might be expected on that instance, and to prevent disk exhaustion
via things like super high compression ratio files.

Thanks to Jeong Woo Lee (eclipse07077-ljw) for reporting.
Sets some reasonable limits, which are higher when logged in since that
infers a little extra trust.
Helps prevent against large resource consuption attacks via super heavy
search queries.

Thanks to Gabriel Rodrigues AKA TEXUGO for reporting.
Add some additional resource-based limits
git safe.directory config for bind-mounted repos.Mark
 /app as safe directory to handle Git 2.35+ ownership
 checks in Docker containers.
…in-docker

 Git 2.35+ may refuse to operate on bind-mounted repos with differing ownership ("dubious ownership"), Mark /app as safe within the container.
Added Id to crowdin config for compatibility with upcoming change to
crowdin CLI process after switch to codeberg
Within the responsibility of the theme service instead
of being part of the app configuration.
Adds a registration system via the logical theme system, to tell
BookStack about views to render before or after a specific template
is included in the system.
Changed the system out to be a theme event instead of method, to align
with other registration events, and so that the theme view work can
better be contained in its own class.
Added and updated tests to cover.

Also updated API auth to a narrower focus of existing session instead of also existing user auth.
This is mainly for tests, to ensure they're following the session
process we'd see for activity in the UI.
@private-packagist

Copy link
Copy Markdown

The composer.lock diff comment has been updated to reflect new changes in this PR.

ssddanbrown and others added 11 commits May 30, 2026 13:45
Currently causing extra files to be created alongside previous files in
crowdin
These would trigger an error on use, and could be abused to fill logs.
Added test to cover.

Thanks to Stephen O. / Sakusen for reporting.
Updated allow list/purifier system to only allow file protocol use on
anchor hrefs to avoid potential security concerns with, after export,
content being auto loaded via interactive elements like
embeds/objects/videos etc...

Updated tests to cover.
Thanks to Gurmandeep Deol at Seneca Polytechnic for reporting.
Avoids providing responses with potential sensitive attachment info
before permission checks.
Added tests to cover.

Thanks to Rafael Castilho for reporting.
This is to reduce the amount of content which will be logged, since
these messages don't really indicate an actual system error but advise
the user of something which went wrong with their request.
@private-packagist

Copy link
Copy Markdown

The composer.lock diff comment has been updated to reflect new changes in this PR.

PolarniMeda and others added 16 commits June 11, 2026 10:32
- Fixed issues picked up by PHPStan updates.
  - Not sure why it was flagging the BookSorter issue, but swapping if
    statements made it go away.
- Updated BookSortMapItem with modern syntax.
- Attempted to fix CI issues by adding DOM extension.
- Attempted to make migration CI more efficient via tmpfs
Upstream libraries used did not specifically treat values in srcset as
URIs like other attributes, so this adds a simple filter for possible
bad values.
Updated tests to cover.

Thanks for Gurmandeep Deol for reporting.
Added a central URLFilter class to check & clean URLs used for
attachments, which is also used for validation, and by the purifier to
standardise protocols (and to make protocol config easier in future).

Thanks to mfk25 for reporting.
Aligns it with other actions/endpoints, and ensures an extra layer of
control against malicious use.

Thanks to mfk25 for reporting.
Adds a more substantial URL check, via a new class which is shared and
used in other parts of the app for consistency.

Thanks to mfk25 for reporting.
…(#6153) from PolarniMeda/bookstack:development into development

Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6153
@private-packagist

Copy link
Copy Markdown

The composer.lock diff comment has been updated to reflect new changes in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants