Commit Graph

2145 Commits

Author SHA1 Message Date
Dan Brown
6107161275 URLs: Fixed issue in comparisons when elements missing 2026-07-02 10:21:01 +01:00
Dan Brown
caeea658d1 Access: Hardened usage of referring URLs via login
Adds a more substantial URL check, via a new class which is shared and
used in other parts of the app for consistency.

Thanks to mfk25 for reporting.
2026-07-01 10:45:59 +01:00
Dan Brown
fe39b69c1f Comments: Added visibility check to comment delete
Aligns it with other actions/endpoints, and ensures an extra layer of
control against malicious use.

Thanks to mfk25 for reporting.
2026-07-01 10:20:32 +01:00
Dan Brown
01dc1e71c5 Attachments: Added more extensive URL filtering
Added a central URLFilter class to check & clean URLs used for
attachments, which is also used for validation, and by the purifier to
standardise protocols (and to make protocol config easier in future).

Thanks to mfk25 for reporting.
2026-07-01 00:41:19 +01:00
Dan Brown
59bbf504cf Content filtering: Added srcset protocol filter
Upstream libraries used did not specifically treat values in srcset as
URIs like other attributes, so this adds a simple filter for possible
bad values.
Updated tests to cover.

Thanks for Gurmandeep Deol for reporting.
2026-06-30 18:35:34 +01:00
Dan Brown
79a2e017bb Maintenance: Fixed type and CI issues
- Fixed issues picked up by PHPStan updates.
  - Not sure why it was flagging the BookSorter issue, but swapping if
    statements made it go away.
- Updated BookSortMapItem with modern syntax.
- Attempted to fix CI issues by adding DOM extension.
- Attempted to make migration CI more efficient via tmpfs
2026-06-11 14:24:09 +01:00
Dan Brown
84a23fb23f Logs: Prevented NotifyExceptions for reporting to error logs
This is to reduce the amount of content which will be logged, since
these messages don't really indicate an actual system error but advise
the user of something which went wrong with their request.
2026-06-07 11:25:51 +01:00
Dan Brown
b7325fdf0e Attachments: Moved perm checks before validation
Avoids providing responses with potential sensitive attachment info
before permission checks.
Added tests to cover.

Thanks to Rafael Castilho for reporting.
2026-06-07 10:35:14 +01:00
Dan Brown
81f77a95de Content Filtering: Limited file protocol to just anchor hrefs
Updated allow list/purifier system to only allow file protocol use on
anchor hrefs to avoid potential security concerns with, after export,
content being auto loaded via interactive elements like
embeds/objects/videos etc...

Updated tests to cover.
Thanks to Gurmandeep Deol at Seneca Polytechnic for reporting.
2026-06-06 15:30:57 +01:00
Dan Brown
37f2d05118 Search: Prevented tag search using unusable numbers
These would trigger an error on use, and could be abused to fill logs.
Added test to cover.

Thanks to Stephen O. / Sakusen for reporting.
2026-06-06 10:37:06 +01:00
Dan Brown
67529dd883 Deps: Updated PHP packages, fixed some types for phpstan 2026-05-28 10:34:04 +01:00
Dan Brown
d7ba0dc430 CSP: Renamed CSS CSP option 2026-05-26 12:50:19 +01:00
Dan Brown
2c49502345 Merge pull request 'Merge Further v26.03 changes' (#6133) from v26-03 into development
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6133
2026-05-25 17:26:29 +02:00
Dan Brown
ef82119226 MFA: Added verify attempt rate limiting 2026-05-21 13:25:57 +01:00
Dan Brown
0cd773a5d3 CSP Headers: Review of #6071
- Removed extra non-needed docs in repo
- Tweaked some wording.
- Added extra test scenarios.
- Added options to phpunit default env.
- Added auto-quote-handling for unsafe-inline CSS rule.

For #6033
2026-05-17 18:40:02 +01:00
Dan Brown
dfc91d533b Merge branch 'development' into Zhey-on/feature/csp-image-css-controls-6033 2026-05-17 17:57:54 +01:00
Dan Brown
39a14cff8f User MFA: Reviewed addition of reset, added tests
Review of #6056
Added test coverage.
2026-05-17 13:05:50 +01:00
Dan Brown
321271e7bd Merge branch 'development' into clauvaldez/mfaReset 2026-05-17 11:59:41 +01:00
Dan Brown
c87abbd23f Images: Increased validation against related page on upload
Adds validation that the related page exists, is visible, and that the
user has page edit permissions for the page.
Aligns with attachment permission model, and aligns across different
image endpoints.

Added tests to cover.
Closes #6126
2026-05-14 18:10:46 +01:00
Dan Brown
c5c066c3e7 Merge pull request 'Merge v26.03 branch changes' (#6122) from v26-03 into development
Reviewed-on: https://codeberg.org/bookstack/bookstack/pulls/6122
2026-05-14 16:08:26 +02:00
Dan Brown
85baa6e9c8 Languages: Enabled Thai as a language option 2026-05-05 20:44:04 +01:00
Dan Brown
cf648906e9 SSR: Hardened URL validator against a range of workarounds
Added a more comprehensive range of tests to cover.
Thanks to naruhodoowl (https://github.com/kilhsrito-crypto) for
reporting.
2026-04-30 10:18:50 +01:00
Dan Brown
fddeb9030b Attachments: Added page access check to attachment delete
Thanks to github.com/404-pkj for reporting.
2026-04-29 18:31:11 +01:00
Dan Brown
fc220dea39 Search: Fixed exact saerch term negation causing no results
Closes #6121
2026-04-29 18:07:32 +01:00
Dan Brown
55317039ac Meta: Converted GitHub references in codebase to Codeberg 2026-04-28 09:30:48 +01:00
Dan Brown
00239bb6c8 Exports: Improved dompdf font loading permission errors 2026-04-22 13:22:20 +01:00
Dan Brown
241563e8fc Exports: Added testing coverage for DOMPDF font usage 2026-04-22 13:12:34 +01:00
Dan Brown
e91747785b PDF: Started building system to allow custom DOMPDF font loading 2026-04-20 15:42:28 +01:00
Dan Brown
ec0b0384a2 Permissions: Tweaks/fixed during review of revision-view-all changes 2026-04-19 16:06:31 +01:00
Dan Brown
befa3a8fbb Permissions: Started addition of revision-view permission 2026-04-19 12:41:11 +01:00
Dan Brown
083fb1a600 Maintenance: Updated $request->get instance to use input 2026-04-18 20:43:27 +01:00
Dan Brown
18364d1e6e WYSIWYG: Added inline code support to minimal editor
Used for comments and descriptions.
Also updated shortcut handling that we're not registering shortcuts for
edits which can't use the related formatting types.

For #6003
2026-04-16 11:11:06 +01:00
Dan Brown
208629ee1f API: Some changes to tag API endpoints
- Updated tag values endpoint to use query param instead of path
  argument, so a better range of values can be provided (including those
  with slashes).
- Updated image gallery example request to align with docs use changes.
2026-04-14 12:03:29 +01:00
Dan Brown
1c1ad1d1b7 Tags API: Reviewed docs and added examples 2026-04-12 20:45:18 +01:00
Dan Brown
f14fc68b66 API: Added new tags API endpoints 2026-04-12 18:26:00 +01:00
Dan Brown
93f84a81b2 Merge pull request #6083 from BookStackApp/better_plain_text
New HTML to Plaintext handling
2026-04-12 17:01:45 +01:00
Dan Brown
4feb50e7ee Attachments: Aligned attachment validation a little more 2026-04-12 15:29:00 +01:00
Dan Brown
c7e2b487c1 Attachments: Aligned ZipExportAttachment link validation
With controller routes.
Don't consider this as a security issue, since the filtered URLs
by that validation are very likely to be blocked by browser security
or CSP, and there's a level of assumed privilege to the users that
are able to create such attachments links already.

Closes #6093
2026-04-12 15:17:31 +01:00
Dan Brown
684a94c419 Theme Modules: Prevented zip-slip in new module extraction method
Updated the new (development only) approach which could result in
zip-slip causing trouble. This adds path normalisation, and testing to
cover.
2026-04-11 18:49:34 +01:00
Dan Brown
5fbaab4740 Theme modules: Allowed cross-origin redirects on download
With a prompt to the user to confirm they trust the origin.
For #6066
Added tests to cover.
2026-04-11 17:23:11 +01:00
Dan Brown
3d9d5fef51 Theme Modules: Updated install command to handle nested folder
Theme module ZIPs will now support their files being in a single nested
directory within a ZIP, to support common ZIP structure approaches.
Added test to cover.
For #6066
2026-04-11 15:04:53 +01:00
Dan Brown
5e78dc6ed5 Maintenance: Updated PHPStan to Level 4 (#6085) 2026-04-08 21:03:20 +01:00
Dan Brown
abed4eae0c Exports: Updated plaintext export to use new converter 2026-04-05 17:51:19 +01:00
Dan Brown
c7d3775bb9 Plain text: Created a new HTML to plain text converter
To centralise logic to be more consistent, and to have smarter logic
which avoids just following newline format from input, preventing
smushing HTML elements (like list elements) next to eachother
2026-04-05 00:05:10 +01:00
Zhey
e42fda893c Add CSP controls for image and CSS sources 2026-03-26 12:00:08 +01:00
Dan Brown
5763d26b17 Updated registration to use validated input instead of all 2026-03-19 21:29:30 +00:00
Dan Brown
8a59895ba0 Merge branch 'sec_chapter_export' into development 2026-03-17 10:41:51 +00:00
Dan Brown
a9ffd3e0c7 Responses: Added extra sanitization for download names
From testing, don't think this could exploited directly, as the response
would error instead of allowing control characters, but this adds an
extra layer of sanitization, and switches to encoded disposition
filenames for better UTF8 support.
2026-03-16 18:28:44 +00:00
Dan Brown
49df47836e Merge pull request #6057 from BookStackApp/v25-12
V25.12 changes v3
2026-03-15 12:51:02 +00:00
Dan Brown
f4c9d2b049 Exports: Fixed scope of pages in chapter MD export
Added tests to cover children of all MD exports
2026-03-13 13:35:28 +00:00