This release adds Italian and Russian translations to PrivateBin and fixes an XSS and a database issue.
Fortunately the CSP headers introduced in version 1.0 suppressed the XSS issue in modern browsers. But older browsers would still be affected when clicking on the "Raw text" button of a markdown formatted paste containing JavaScript. The issue was introduced with the change in version 1.0 that displays markdown code instead of the rendered HTML in the "raw" mode.
The other fixed issue concerns the automatic purging of outdated pastes, which was introduced in version 1.0. When using the database model instead of the default file based store, pastes set to "never" expire were always purged, too.
Benefits of switching to the new release
If you are using the database model instead of the filesystem one and offer pastes that "never" expire, then you should upgrade or disable the purge by setting the batchsize
to 0 in your configuration.
Apart from fixing the XSS issue, markdown pastes containing HTML code will now be properly displayed in the "raw" mode.
Both of these issues affected only version 1.0. There are of course many more benefits in switching to this release, if you are still using a version of PrivateBin or ZeroBin before 1.0.
Update procedure
When updating please make sure to adjust the cspheader
setting. We recommend you to either comment the setting out in order to use our default recommend CSP header or adjust the header so it matches the new default one (mainly just add the referrer no-referrer;
part).
Changes since version 1.0
- ADDED: Translations for Italian and Russian
- ADDED: Loading message displayed until decryption succeeded for slower (in terms of CPU or network) systems
- ADDED: Dockerfile for docker container creation
- CHANGED: Using modal dialog to request password input instead of native JS input window (#69)
- CHANGED: Suppressed referrer HTTP header sending when following links in a paste or comment (#96) and added additional HTTP headers for XSS mitigation (#91)
- CHANGED: Updated random_compat and jQuery libraries
- FIXED: XSS using JavaScript stored as markdown formatted paste, after clicking on Raw paste button (#137)
- FIXED: Automatic purging deleting non-expiring pastes, when using database store (#149)
We wish you a happy new year!