diff --git a/CHANGELOG.md b/CHANGELOG.md index c68c95ecf5d..48ac603d118 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,15 @@ ownCloud admins and users. ## Summary +* Security - Sanitize storage connection error messages returned to clients: [#41585](https://github.com/owncloud/core/pull/41585) +* Security - Prevent user enumeration via differential password reset UI: [#41586](https://github.com/owncloud/core/pull/41586) +* Bugfix - Add missing space to mail footer signature delimiter: [#41364](https://github.com/owncloud/core/issues/41364) +* Bugfix - Fix htaccess RewriteBase rules blocking API requests by file extension: [#41418](https://github.com/owncloud/core/issues/41418) +* Bugfix - Fix subadmin email change updating caller's address instead of target's: [#41574](https://github.com/owncloud/core/pull/41574) +* Bugfix - Adjust code to avoid PHP8 messages: [#41597](https://github.com/owncloud/core/pull/41597) +* Bugfix - Support federation between systems in subdirectories: [#41599](https://github.com/owncloud/core/pull/41599) +* Bugfix - Remove owncloud.com/federation link from federated cloud settings: [#41608](https://github.com/owncloud/core/pull/41608) +* Bugfix - Fix JS test isolation bugs exposed by Jasmine 5 random test ordering: [#41616](https://github.com/owncloud/core/pull/41616) * Change - Update M$ Office icons: [#41347](https://github.com/owncloud/core/pull/41347) * Change - No longer store auto loader information in any memory cache: [#41376](https://github.com/owncloud/core/pull/41376) * Change - Update PHP dependencies: [#41450](https://github.com/owncloud/core/pull/41450) @@ -47,6 +56,99 @@ ownCloud admins and users. ## Details +* Security - Sanitize storage connection error messages returned to clients: [#41585](https://github.com/owncloud/core/pull/41585) + + The external storage status handler returned raw exception messages including + Guzzle cURL error details such as resolved IP addresses and port numbers in the + JSON response. This allowed authenticated users to distinguish connection states + and map internal network topology. The full exception is now logged server-side + only; a generic message is returned to the client. + + https://github.com/owncloud/core/pull/41585 + +* Security - Prevent user enumeration via differential password reset UI: [#41586](https://github.com/owncloud/core/pull/41586) + + The login form showed a "Reset it?" link only when a valid user on a backend + that supports password changes was detected. LDAP users produced a different + response than non-existent users, allowing unauthenticated enumeration of + accounts on those backends. The backend capability check has been removed; the + reset link is now shown uniformly regardless of user existence or backend type. + + https://github.com/owncloud/core/pull/41586 + +* Bugfix - Add missing space to mail footer signature delimiter: [#41364](https://github.com/owncloud/core/issues/41364) + + We've fixed the signature delimiter in the email footer templates. The delimiter + on the first line was missing the trailing space required by the signature block + convention (RFC 3676), so mail clients were unable to recognize and collapse the + signature. The delimiter is now correctly written as "-- " (dash-dash-space). + + https://github.com/owncloud/core/issues/41364 + https://github.com/owncloud/core/pull/41617 + +* Bugfix - Fix htaccess RewriteBase rules blocking API requests by file extension: [#41418](https://github.com/owncloud/core/issues/41418) + + Files whose names end in extensions like .jpg, .png, .svg, .json and others + could not be marked as favorites or have their tags updated via the files API + when htaccess.RewriteBase was configured. The .htaccess rules generated by `occ + maintenance:update:htaccess` used a URI extension check to skip routing through + index.php, which inadvertently blocked API requests to paths like + `/apps/files/api/v1/files/photo.jpg`, returning 405 Method Not Allowed. + + The fix replaces the extension-based condition with `RewriteCond + %{REQUEST_FILENAME} !-f`, which correctly routes virtual API paths through + index.php while still serving actual static files directly. + + https://github.com/owncloud/core/issues/41418 + +* Bugfix - Fix subadmin email change updating caller's address instead of target's: [#41574](https://github.com/owncloud/core/pull/41574) + + The verification token and confirmation link in the subadmin path of + setMailAddress were associated with the caller's account instead of the target + user's account. Clicking the confirmation link changed the subadmin's email + rather than the intended target's email. + + https://github.com/owncloud/core/pull/41574 + +* Bugfix - Adjust code to avoid PHP8 messages: [#41597](https://github.com/owncloud/core/pull/41597) + + Avoid trying to access array offset on false in the encryption storage wrapper. + + Handle passing null to normalizeUrl in the federation DbHandler. + + https://github.com/owncloud/core/pull/41597 + +* Bugfix - Support federation between systems in subdirectories: [#41599](https://github.com/owncloud/core/pull/41599) + + If a federated server was installed in a subdirectory like: + + Mydomain.com/cloud + + Then checks to see that the server is up and responding would fail. This problem + has been corrected. + + https://github.com/owncloud/core/pull/41599 + +* Bugfix - Remove owncloud.com/federation link from federated cloud settings: [#41608](https://github.com/owncloud/core/pull/41608) + + The "Add to your website" feature in the personal federation settings was + generating a link to https://owncloud.com/federation# which no longer works + after owncloud.com was restructured. The federation Cloud ID is now displayed + directly without linking to the defunct external page. + + https://github.com/owncloud/core/pull/41608 + +* Bugfix - Fix JS test isolation bugs exposed by Jasmine 5 random test ordering: [#41616](https://github.com/owncloud/core/pull/41616) + + Several JS test specs left shared singleton state dirty between tests, causing + intermittent failures when Jasmine 5 ran tests in random order. Fixed + OC._currentMenu leak in fileactionsmenuSpec, stale OCA.Files.fileActions + reference causing infinite recursion in files_sharing/appSpec, and stale models + in the OC.SystemTags.collection singleton in systemtagsinfoviewSpec and + systemtagsinputfieldSpec. + + https://github.com/owncloud/core/pull/41616 + * Change - Update M$ Office icons: [#41347](https://github.com/owncloud/core/pull/41347) Icons have been updated according to the M$ cloud storage partner program @@ -67,28 +169,42 @@ ownCloud admins and users. * google/apiclient (v2.19.0 to v2.19.3) - * google/apiclient-services (v0.435.0 to v0.441.1) + * google/apiclient-services (v0.435.0 to v0.444.0) - * google/auth (v1.50.0 to v1.50.1) + * google/auth (v1.50.0 to v1.51.0) * guzzlehttp/psr7 (2.8.0 to 2.10.4) - * guzzlehttp/guzzle (7.10.0 to 7.11.0) + * guzzlehttp/guzzle (7.10.0 to 7.11.1) * guzzlehttp/promises (2.3.0 to 2.4.1) * laravel/serializable-closure (v2.0.10 to v2.0.13) - * phpseclib/phpseclib (3.0.49 to 3.0.50) + * phpseclib/phpseclib (3.0.49 to 3.0.53) * pimple/pimple (3.6.1 to 3.6.2) + * sabre/event (5.1.7 to 5.1.8) + * sabre/vobject (4.5.8 to 4.6.0) - * symfony/deprecation-contracts (v3.6.0 to v3.7.0) + * symfony/console (v7.4.7 to v7.4.13) * symfony/mailer (v7.4.6 to v7.4.12) + * symfony/process (v7.4.5 to v7.4.13) + + * symfony/routing (v7.4.6 to v7.4.13) + + * symfony/string (v7.4.6 to v7.4.13) + + * symfony/translation (v7.4.6 to v7.4.10) + + * symfony/deprecation-contracts (v3.6.0 to v3.7.0) + + * symfony/translation-contracts (v3.6.1 to v3.7.0) + https://github.com/owncloud/core/pull/41450 https://github.com/owncloud/core/pull/41477 https://github.com/owncloud/core/pull/41495 @@ -96,6 +212,7 @@ ownCloud admins and users. https://github.com/owncloud/core/pull/41564 https://github.com/owncloud/core/pull/41569 https://github.com/owncloud/core/pull/41590 + https://github.com/owncloud/core/pull/41613 * Change - Drop command db:convert-type: [#41451](https://github.com/owncloud/core/pull/41451)