This release contains an improvement for the S3 storage & updates several libraries.
This patch release allows the AWS SDK to use default credential provider chain when using the S3 storage backend, exposes the used JSON-LD types in the API, addresses PHP 8.2 deprecation warnings and includes several updated libraries, including some security fixes.
When using the S3 storage backend, you now have the option of passing the S3 credential configuration in other ways than just the PrivateBin configuration file. If the
credentials are not set in configuration, the AWS SDK will use the default credentials provider chain, which will look for credentials in a few places automatically, including environment variables or instance roles. For details on these, see the SDK's documentation on the default credentials provider chain
The updated DOMpurify & jQuery libraries contain some security fixes. While we are not aware that these could be used with PrivateBin, for example to bypass DOMpurify filtering of the user provided paste contents to inject malicious code displayed to visitors, upgrading these prevents these from becoming an issue.
Finally, the administration script introduced in the last release, made use of a form of string interpolation that got deprecated in PHP 8.2, causing it to emit warning messages, when running it on that PHP version. It was the only area that needed any changes for PHP 8.2 and our container images have already been using PHP 8.2 for a few months without any issues.
Benefits of switching to the new release
We recommend to upgrade all instances, due to the security fixes in the included DOMpurify & jQuery libraries.
We also offer a container images using the nginx web server with php-fpm and one using the nginx unit application server, that include the recommended secure setup with the non-essential files and data outside of the web servers document root.
Changes since version 1.5.1
- ADDED: Allow AWS SDK to use default credential provider chain for S3Storage (#1070)
- CHANGED: Upgrading libraries to: DOMpurify 3.0.4 & jQuery 3.7.0
- FIXED: Addressed PHP 8.2 deprecation warnings (#1092)
- FIXED: Expose types JSON-LD incl. configured expiration dates (#1045)
Help wanted & greatly appreciated
Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.
What can we offer you in return for your help?
- We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfills the communities quality standards, gets merged and makes it into a release.
- Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.
- PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming then larger projects.
- We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.
- It can be an opportunity to learn about continuos integration tools to automate tasks like tests, security scans, etc.
If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the discussion area or reach us via email.
Plans for future releases
The next minor release will focus on user interface improvements.