indico v2.3.4 Release Notes
-
๐ Released on March 11, 2021
๐ Security fixes ^
- ๐ Fix some open redirects which could help making harmful URLs look more trustworthy by linking
to Indico and having it redirect the user to a malicious site (:issue:
4814
, :pr:4815
) - The :data:
BASE_URL
is now always enforced and requests whose Host header does not match are rejected. This prevents malicious actors from tricking Indico into sending e.g. a password reset link to a user that points to a host controlled by the attacker instead of the actual Indico host (:pr:4815
)
.. note::
If the webserver is already configured to enforce a canonical host name and redirects or rejects such requests, this cannot be exploited. Additionally, exploiting this problem requires user interaction: they would need to click on a password reset link which they never requested, and which points to a domain that does not match the one where Indico is running.
๐ Improvements ^
- 0๏ธโฃ Fail more gracefully is a user has an invalid locale set and fall back to the default locale or English in case the default locale is invalid as well
- ๐ง Log an error if the configured default locale does not exist
- โ Add ID-1 page size for badge printing (:pr:
4774
, thanks :user:omegak
) - ๐ Allow managers to specify a reason when rejecting registrants and add a new placeholder
for the rejection reason when emailing registrants (:pr:
4769
, thanks :user:vasantvohra
)
๐ Bugfixes ^
- ๐ Fix the "Videoconference Rooms" page in conference events when there are any VC rooms attached but the corresponding plugin is no longer installed
- ๐ Fix deleting events which have a videoconference room attached which has its VC plugin no longer installed
- Do not auto-redirect to SSO when an MS office user agent is detected (:issue:
4720
, :pr:4731
) - ๐ Allow Editing team to view editables of unpublished contributions (:issue:
4811
, :pr:4812
)
Internal Changes ^
- ๐ Also trigger the
ical-export
metadata signal when exporting events for a whole category - Add
primary_email_changed
signal (:pr:4802
, thanks :user:openprojects
)
- ๐ Fix some open redirects which could help making harmful URLs look more trustworthy by linking
to Indico and having it redirect the user to a malicious site (:issue: