BookStack Beta v0.25.3

Security Release

This release patches a security vulnerability that allowed PHP files to be uploaded via image upload endpoints. The PHP files could then be called externally to perform malicious activity.

This is particularly an issue in environments where untrusted users have the necessary permissions to upload images.

Please consider that malicious exploitation of this vulnerability may have allowed access to other files on your server that the PHP process has access to, Including your BookStack .env file, so consider updating any passwords or keys if you think this had a possibility of being exploited on your instance.

It is advised you update your BookStack instance as soon as possible.

BookStack Beta v0.25.2

• Update instructions
• Update details on blog

This release contains the following fixes and changes:

• Added PowerShell code highlighting to code blocks. Thanks to @christophert. (#1263, #1040)
• Added LUA code highlighting to code blocks. (#1223)
• Added LDAP option to set a custom "Display Name" property. Thanks to @dfanara. (#1317, #1306)
• Added possibility to set a password for Redis connections. (#1283)
• Updated front-end file upload size limit to be configurable. (#1293)
• Updated Dutch translations for the password hint. Thanks to @maantje. (#1314)
• Updated image paste/drop uploads to properly set page relations so image permissions are active. (#1287)
• Updated German translations to include translations for shelves. Thanks to @Xiphoseer. (#1272)
• Updated permissions checked for "Page Copy" function to be more accurate to what permissions are actually required. Thanks to @mark-james. (#1202, #1199)
• Updated permissions checked for the "Shelves" header item to be visible. Now takes into account custom shelve-level permissions. (#1201)
• Fixed bug where using alignment properties could break tables. (#1284)
• Fixed issue where default system language would not be reflected when viewing another user's profile. (#1316)
• Fixed issue where image-manager tooltips could be cut-off. Thanks to @Abijeet. (#1238, #1186)

BookStack Beta v0.25.1

• Update instructions
• Update details on blog

This release contains the following fixes and changes:

• Updated revision listing so dates can show localised if the relevant locale is installed on the host system. (#1214)
• Added support for s3 compatible storage services such as Minio. (#1195, #1192)
• Updated Google authentication to not use Google+ API. (#1190)
• Fixed "Rubber banding" effect when scrolling in certain conditions when comments were disabled. (#1218)
• Fixed isssue causing only show a single page to show when using Firefox's print option. (#1211)

BookStack Beta v0.25.0

Security - During the release cycle for Version v0.25 it was found that page content includes could leak their content as preview text to users that don’t have permission to view the included content. It’s recommended to re-save any pages that included other page content that’s restricted to ensure included text is not shown in page preview text.

Requirements Change - Minimum required version of PHP has changed from 7.0.0 to 7.0.5.

Configuration Change - The .env option GRAVATAR_URL=false has been replaced by AVATAR_URL=false.

• Update instructions
• Update details on blog

Full List of Changes

• Added Ukrainian translations. Thanks to @Mant1kor. (#1183)
• Added German informal translations. Thanks to @ezzra. (#1159, #890)
• Updated Polish translations. Thanks to @vasiliev123. (#1180)
• Updated Spanish translation formatting. Thanks to @moucho. (#1197)
• Added proper escaping to LDAP authentication variables. (#1163)
• Added anchor links to user profile sections and added "Register" to header for guest users. Thanks to @qianmengnet. (#1146)
• Added configurable timeout for file & image uploads. Thanks to @Abijeet. (#1133, #876)
• Added system to prevent the last admin from removing themselves as an admin. (#1124)
• Added link to manage users in header if user has permission to do so but does not have permission to change system settings. Thanks to @cw1998. (#1119, #1110)
• Added support for custom avatar provider. Thanks to @Vinrobot. (#1111)
• Added option to disable LDAPS Certificate Validation. Thanks to @christophert. (#1065)
• Added testing coverage to user avatar fetching. (#1193)
  (#1096)
• Updated times in page exports to use absolute time formats instead of relative formats.
• Updated "Move" operations so that "Delete" permissions are required on the item being moved. (#1200)
• Updated page preview/search system to prevent leaks in included content when permissions are set on included content. (#1178)
• Re-enabled missing plaintext copies on system-generated emails. (#1182)
• Improved 'SQL' code block highlighting. (#1181)
• Simplified ".env.example" file and created full example version. (#1205)
• Fixed WYSIWYG editor issue that could reset cursor position on code block click. (#1162).

BookStack Beta v0.24.3

This release contains the following fixes and changes:

• Fixes image deletion failing in subdirectory. Thanks to @Abijeet. (#1143, #1092)
• Updated 'Spanish Argentina' translations. Thanks to @leomartinez. (#1117)
• Updated German translations. Thanks to @CliffyPrime. (#1072)

BookStack Beta v0.24.2

This release contains the following fixes and changes:

• Added Korean translations. Thanks to @limkukhyun. (#1066)
• Added option to Google authentication to force account selection. Thanks to @justein230. (#1063)
• Updated Brazilian Portuguese translations. Thanks to @DeehSlash. (#1034)
• Updated Chinese translations. Thanks to @qianmengnet. (#1109)
• Updated French translations. Thanks to @TheLastOperator. (#1098)
• Updated Traditional Chinese translations. Thanks to @kejjang. (#1088)
• Markdown editor now wraps images with link to original file on insert. Thanks to @thomasjsn. (#1064,#1062)
• Fixed incorrect login redirect if using BookStack on a sub-path. ((#1048,#956))
• Updated laravel to fix compact() issue on page load when using PHP 7.3. (#1095)
• Major re-structure to many core parts of the application back-end code.
• Updated all JavaScript modules to use ES6 import/export instead of require syntax.

BookStack Beta v0.24.1

This release contains the following fixes and changes:

• Fixed update database issues with certain role configurations and database types. (#1027)

If you previously experienced issues upgrading to v0.24 please try following the update commands again to update to v0.24.1.

BookStack Beta v0.24.0

Please Note, Due to required re-working of some settings you may have to re-apply any homepage options you've previously set upon updating to v0.24. See the update instructions page linked below for further info.

• Update instructions
• Update details on blog

Full List of Changes

• Added bookshelves, A level above books. (#947, #1023, #95)
• Added ability to remove particular revisions. Thanks to @Abijeet. (#1008, #784)
• Added social auto-registration option.
  Thanks to @ibrahimennafaa. (#966, #574, #572, #477)
• Added Arabic language and initial RTL language support. Thanks to @kmoj86. (#945, #939)
• Added ability to scroll past the end in the Markdown editor. (#1020)
• Updated default cookie name and made configurable via .env file. (#1018)
• Updated revision limit to be configurable. (#1004)
• Updated export templates to include custom styles. (#981)
• Updated database migrations so MyISAM engine is never forced and so that fulltext index support is not required. (#726)
• Updated Spanish translations. Thanks to @moucho. (#1025, #1021)
• Updated German translations. Thanks to @vriic. (#983, #1026)
• Updated Russian translations. Thanks to @mullinsmikey. (#1002)
• Updated Brazilian Portuguese translations. Thanks to @DeehSlash. (#986)
• Fixed chapter content dropdown acting unreliably. Thanks to @Abijeet. (#1009, #960)
• Fixed duplicate role attachment database error that could occur on LDAP group sync. (#1003)
• Fixed issue in WYSIWYG editor where the "No color" option would disappear or not be present. (#999)
• Fixed issue where code block content may be hidden by the copy button. (#980)
• Fixed issue in WYSIWYG where it could be hard to escape a blockquote section. (#961)
• Fixed hardcoded English text in search page. (#864)
• Fixed issue causing Safari to download items as .dms files. Thanks to @ajvolin. (#581)

BookStack Beta v0.23.2

This release contains the following fixes and changes:

• Fixed LDAP group sync fail that could occur if your user filter was not uid based. (#959, Credit to @yoyokko)

BookStack Beta v0.23.1

This release contains the following fixes and changes:

• Added .env option to disable public user locale autodetect. (#944)
• Updated Spanish translations. Thanks to @moucho. (#957)
• Updated 'Spanish Argentina' translations. Thanks to @leomartinez. (#952)
• Updated Chinese translations. Thanks to @houbaron. (#948)
• Updated Swedish translations. Thanks to @marcusforsberg. (#942)
• Fixed error that could be thrown when mapping LDAP groups. (#951)
• Updated composer dependencies.