indico v2.3.4 Release Notes

  • ๐Ÿš€ Released on March 11, 2021

    ๐Ÿ”’ Security fixes ^

    • ๐Ÿ›  Fix some open redirects which could help making harmful URLs look more trustworthy by linking to Indico and having it redirect the user to a malicious site (:issue:4814, :pr:4815)
    • The :data:BASE_URL is now always enforced and requests whose Host header does not match are rejected. This prevents malicious actors from tricking Indico into sending e.g. a password reset link to a user that points to a host controlled by the attacker instead of the actual Indico host (:pr:4815)

    .. note::

    If the webserver is already configured to enforce a canonical host name and redirects or
    rejects such requests, this cannot be exploited. Additionally, exploiting this problem requires
    user interaction: they would need to click on a password reset link which they never requested,
    and which points to a domain that does not match the one where Indico is running.
    

    ๐Ÿ‘Œ Improvements ^

    • 0๏ธโƒฃ Fail more gracefully is a user has an invalid locale set and fall back to the default locale or English in case the default locale is invalid as well
    • ๐Ÿ”ง Log an error if the configured default locale does not exist
    • โž• Add ID-1 page size for badge printing (:pr:4774, thanks :user:omegak)
    • ๐Ÿ‘ Allow managers to specify a reason when rejecting registrants and add a new placeholder for the rejection reason when emailing registrants (:pr:4769, thanks :user:vasantvohra)

    ๐Ÿ›  Bugfixes ^

    • ๐Ÿ›  Fix the "Videoconference Rooms" page in conference events when there are any VC rooms attached but the corresponding plugin is no longer installed
    • ๐Ÿ›  Fix deleting events which have a videoconference room attached which has its VC plugin no longer installed
    • Do not auto-redirect to SSO when an MS office user agent is detected (:issue:4720, :pr:4731)
    • ๐Ÿ‘ Allow Editing team to view editables of unpublished contributions (:issue:4811, :pr:4812)

    Internal Changes ^

    • ๐Ÿ“‡ Also trigger the ical-export metadata signal when exporting events for a whole category
    • Add primary_email_changed signal (:pr:4802, thanks :user:openprojects)