Deaddrop release information

This release is primarily a bugfix release with a focus on security enhancements, for example by reducing the attack surface of the login page. Additionally, the update addresses an existing XSS issue, which up until now only impacted the currently logged-in users without any potential risks towards other users on the system.

Frontend bug fixes

  • Use correct html entity encoding for input data
  • Disallow upload of empty files
  • Additional hardening on upload and download directories
  • UTF8 fixes when adding groups and be more restrictive in which characters to allow in group names
  • Add missing HTML decoding for contacts
  • Replaced the login page cgi handler with a static HTML page using javascript

Administration portal

  • deaddrop admin portal now uses keep-alive HTTP connections which reduces the amount of opened connections. This fixes an issue with connection throttling firewalls, where the firewall limits the amount of sessions allowed per source IP-address.

  • Fixes to password reset as a administrator user

Backend fixes

  • Harden web server configuration and only allow CGI script where needed. This fixes an issue where the web server would try to execute an uploaded .cgi script. This was stopped by the uploading code enforcing non execute ACLs on all uploaded files and also by the kernel SELinux rules. However, the result was a 501 internal server error which was not the expected response

SMS

  • Use correct variable names for smseagle

Known issues

  • When Session cookie users get logged out from inactivity, they will be redirected to the main login page. Previously a logged out user was given a prompt to re-login without needing to fill in their username. This will be resolved in a future release