BookStack Beta v0.31.0

Links

• Update instructions
• Update details on blog

Update Notices

Requirements Change - The minimum required PHP version has changed from 7.2 to 7.2.5. Additionally, the Tidy PHP extension is no longer required.

GitLab Authentication - The read_user scope will now be passed and is required on the "Application" setup within GitLab. Not having this scope may lead to errors when users attempt to authenticate via GitLab.

Security & IFrame Usage - By default BookStack will set headers to prevent usage within an iframe. You can set trusted iframe hosts through the ALLOWED_IFRAME_HOSTS option in your .env file. See the security page for more information on this option.

Full List of Changes

• Added recycle bin implementation. (#2283, #2183, #280)
• Added Norwegian translations to BookStack. Thanks to @Swoy. (#2336)
• Added ownership system for pages, chapters, books and shelves. (#2436, #2246)
• Added host iframe control with cookie security management. (#2427, #2207)
• Added API endpoints for pages. (#2382)
• Added many more activity types to the audit-log. (#2360, #1243)
• Added a sortable "Latest Activity" column to the users list. (#848)
• Replaced revision diff library so that the php tidy extension is no longer required. (#2347, #1553)
• Updated GitLab authentication to use the read_user scope. (#2359)
• Updated revision restore to add sensible default change summary text. Thanks to @rondaa. (#2353, #2349)
• Updated the "Cleanup Images" maintenance option wording for clarity. (#2352)
• Updated dev docker setup to install composer dependencies in Docker entrypoint. Thanks to @timoschwarzer. (#2298)
• Updated chapter delete behaviour so pages are removed instead of being moved to the parent book. (#2164)
• Updated grid-layout book/shelf item names to better fit into two lines. (#1469)
• Updated translations. (#2439, #2327)
• Fixed issue where the export dropdown may show cut-off with options hidden. Thanks to @shubhamosmosys. (#2416)

BookStack Beta v0.30.7

Security Release

• Update Instructions
• Vulnerability Report
• Update details on blog

This release addresses an issue where page content could be visible to those without permission via the export options. The content of pages made non-viewable to a user via permissions, within a visible parent, could be seen via the plaintext export option. Before v0.30.6 this would have applied only to scenarios where all pages within the chapter were made non-visible. In v0.30.6 this would make all pages within the chapter visible.

Further details can be found in the vulnerability report.

BookStack Beta v0.30.6

Security Release

• Update Instructions
• Vulnerability Report
• Update details on blog

This release addresses an issue where page content could be visible to those without permission. If a chapter was visible to a user, but all of it's pages were made not visible, then the details of these pages could be visible. Within the BookStack interface, the names of the pages and preview content could be seen. If the parent book was exported then this would include the content of the pages that had been restricted.

Further details can be found in the vulnerability report.

BookStack Beta v0.30.5

Security Release

• Update Instructions
• Vulnerability Report: Server Side Request Forgery Through Content Exports
• Update details on blog

Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability. You should ensure you've set the APP_URL option in your .env file to prevent likelihood of the phishing attack. Please view the above report or blogpost links for more detail.

BookStack Beta v0.30.4

Security Release

• Update Instructions
• Vulnerability Reports:
  • Cross-Site Scripting and Redirects Through Page Content
  • Cross-Site Scripting Through Link Attachments
• Update details on blog

This release addresses XSS and user-injected auto-redirect vulnerabilities within the page content & attachment components of BookStack. These are primarily a concern if untrusted users can edit content on your BookStack instance. Please view the above report or blogpost links for more detail.

BookStack Beta v0.30.3

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added VBScript syntax highlighting to the code block editor. Thanks to @nutsflag. (#2302, #2255)
• Fixed issue where drawings would not save in the Markdown editor. (#2313, #2321)
• Updated some Spanish and Chinese translations. (#2303)

BookStack Beta v0.30.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated JavaScript build system to provide slightly better browser compatibility.
• Updated page-content save parsing to update anchor references on IDs changed by BookStack. (#2278)
• Fixed issue where creating a link attachment after mulitple validation failures would result in many duplicate links being created. (#2286)
• Updated drawing integration to, by default, use diagrams.net instead of draw.io. (#2285, #2044)
• Updated default .htaccess to align with laravel's and allow canonical redirects on non-root url app instances. Thanks to @jakubboucek. (#2272)

BookStack Beta v0.30.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations. (#2262)
• Updated settings header bar to adapt better for longer-text languages. (#2265)
• Updated callout link formatting to use callout text style rather than theme color. Thanks to @alexmannuk. (#2233, #303)
• Updated Book export content so that page includes are parsed. Thanks to @mr-vinn. (#2227, #2228)
• Fixed issue where the markdown editor preview pane would be empty. (#2280)
• Fixed incorrect spelling of "Ubuntu Mono" font definition. Thanks to @abulgatz. (#2274)
• Fixed incorrect AddActivityIndexes migration 'down' action. Thanks to @gertjankrol. (#2268)
• Fixed unexpected scroll bars on code blocks. (#2267)
• Fixed issue where notification would not shown upon SAML login where there's an existing non-matching user. (#2263)

BookStack Beta v0.30.0

Links

• Update instructions
• Update details on blog

Update Notices

Security Notice - Possible Privilege Escalation

Thanks to @Defelo
it was advised that current privilege escalation situations are not made clear when applying role permissions.
Any user with a "Manage app settings", "Manage users" or "Manage roles & role permissions" system permission
assigned to one of their roles could technically alter their own permissions to gain wider access.
A clear advisory of these cases has been added in the UI in v0.30
but admins are advised to review which users have these permissions with the above in mind.

LDAP & SAML Group Matching - Potential Change

Thanks to @nem1989 it was found that
BookStack roles would be matched to LDAP/SAML groups based upon the role display name, which is expected,
but only those roles with a matching "name" value would be considered for this matching. This "name" field was redundant,
and has now been removed, but it would store a cleaned version the first-set name of the role.
All roles will now be considered before being matched on name which may mean that roles which did not sync before,
that would have been expected to based on their name, may now start to sync.

Full List of Changes

• Added API endpoints for chapters.
• Added audit log to the settings area. (#2173, #1167)
• Added the ability to insert an attachment link directly into the current editor window. (#1460)
• Added session-based code-block editor auto-save to prevent potential loss of content. (#1398)
• Added warning wording around role system permissions to indicate what permissions could allow privilege escalation. (#2105)
• Added the ability to log login failures to a file. Thanks to @benrubson. (#1881, #728)
• Updated Simplified Chinese translations. Thanks to @Honvid. (#2157)
• Updated WYSIWYG editor css to put editor in it's own layer to improve degraded dark mode performance. (#2154)
• Updated Czech translations. Thanks to @jakubboucek. (#2238)
• Updated permission system so that the permission map table does not contain ID's since database limits could be met in scenarios where permissions were automatically refreshed on a frequent basis. (#2091)
• Updated to role table in the database to remove a redundant name field which fixes issue where changing a role name would not change the name used to match with LDAP groups. (#2032)
• Updated URL slug generation to achieve a much cleaner result when non-ascii characters are used. Thanks to @drzippie. (#2165, #2026, #1765)
• Updated error reporting so that not-found errors are not written to the log, causing logs to fill much quicker than expected. (#2110)
• Updated dark mode styles to remove filters applied to images so that they display as expected. (#2045)
• Removed Vue.js from project & started standardisation of custom basic component system. (#2202)
• Replaced dev usage of node-sass with dart-sass. Thanks to @timoschwarzer. (#2166)
• Fixed issue where, upon role delete, users would not be migrated when specified to during role delete flow. (#2211)
• Fixed issue where the system would error on upload of images that contain a hash in the name. (#2161)
• Fixed scenario where page drafts would show as saved where request would actually fail, leading to loss of data. Added a browser-side storage mechanism for emergency use. (#2150)
• Fixed issue where LDAP groups would not sync on initial login due to the email confirmation system taking over before the group sync would run. (#2082)
• Fixed issue where the redirect upon login could lead to an external site. (#2073)
• Fixed low visibility of horizontal lines when dark mode is in use. (#2209)
• Fixed issue where HTML entities would be seen in page preview content. Thanks to @mr-vinn. (#2257, #2114)
• Fixed issue where previous page content would be indexed upon save instead of the fresh content. (#2042)
• Fixed issue where an error would be thrown on SAML logout request from the IdP. (#2002)
• Fixed bad pagination styling which would result in invisible numbering. (#1839)
• Fixed incorrect and misleading behaviour when saving a comment with no content. (#1836)

BookStack Beta v0.29.3

Security Release

• Update Instructions
• Vulnerability Report

This release addresses issue #2111 where the name of a restricted book could be viewed by non-authorised users when the book was on a shelf, and the shelves were viewed in "List View". This could expose book names to those that did not have permission to see them, when part of a shelf.