This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.
On 25th of December 2019, an issue was discovered and fixed, which allowed the user provided attachment file name to inject HTML under certain conditions, leading to a persistent Cross-site scripting (XSS) vulnerability. This release includes an improved solution, which addresses the issue on a broader scope, avoiding this to reoccur in other areas of the code in the future.
Further details on this is an issue and its implications can be found in our report on the vulnerability. It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.
Benefits of switching to the new release
We recommend to upgrade 1.3, 1.3.1, 1.2 and 1.2.1 instances to address this issue, even if the instance doesn't have fileuploads enabled and uses the recommended CSP header to mitigate XSS attacks.
Due to the seriousness of the issue, we do offer a backport of the fix for the 1.2.1 version of PrivateBin, that also includes updated JavaScript libraries. You may choose to use that version over 1.3.2, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.
Update procedure
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
Changes
in 1.3.2 since version 1.3.1
- ADDED: Translation for Ukrainian (#533)
- ADDED: Option to send a mail with the link, when creating a paste (#398)
- ADDED: Add support for CONFIG_PATH environment variable (#552)
- CHANGED: Upgrading libraries to: base-x 3.0.7, DOMpurify 2.0.7 & Showdown 1.9.1
- FIXED: HTML injection via unescaped attachment filename (#554)
- FIXED: Password disabling option (#527)
in 1.2.2 since version 1.2.1
- CHANGED: Upgrading libraries to: bootstrap 3.4.1, DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 & SJCL 1.0.8
- FIXED: HTML injection via unescaped attachment filename (#554)
Help wanted & greatly appreciated
Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.
If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools that should get you started.
Plans for future releases
The next regular release will focus on user interface improvements.