Warning! This release focuses on addressing potential security issues that were recently discovered by Fabian Densborn from SEC Consult. Serene/StartSharp users must either create a new project from the 6.7.0+ template or manually apply the relevant changes from this commit to their existing applications after updating Serenity packages to 6.7.0+: https://github.com/serenity-is/serene/commit/6dce8162f4382badd429a9f0f1470acb64e8c4fd
Serenity.is would like to express gratitude to Fabian Densborn for his discovery, analysis, and coordination, as well as the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for responsibly reporting the identified issues and collaborating with us as we addressed them.
Added the option to use ClamAV (https://www.clamav.net/) as an antivirus scanner for temporary uploads. To enable it, add services.ConfigureSection<Serenity.Extensions.ClamAVSettings>(Configuration); and services.AddSingleton<IUploadAVScanner, Serenity.Extensions.ClamAVUploadScanner>(); to your Startup.cs after upgrading to Serenity/Serenity.Extensions 6.7.0+. Consult ClamAV documentation on how to install it on your platform. This feature will be enabled by default once these changes have been made in Startup.cs. If you want to disable it for development purposes, set ClamAV:Enabled to false in your appsettings.Development.json (not recommended for production!).
Added extensionless and .htm/.html to the upload file extensions blacklist by default. An attacker can include malicious scripts in such an HTML file, send an administrative user a link to that file via email, and if the administrative user is already logged in to the site while clicking the link, the script can call services, perform actions, etc. on behalf of the user as the cookies are sent by the browser.
Ensured that the Forgot password page does not reveal information to identify whether a user with the entered email exists.
Ensured that reset password tokens can only be used once. They already expired in 3 hours, but if an attacker could see the link within that time frame (e.g., by eavesdropping), they could use it to change the password again.
6.6.6 (2023-04-04)
Bugfixes:
Fix empty text can't be used as DisplayName in forms/columns
6.6.5 (2023-04-04)
Bugfixes:
[Breaking Change] removing legacy AsyncLookupEditor from corelib as it is getting mixed up with AsyncLookupEditorAttribute in server side which is just a LookupEditor with Async = true
6.6.4 (2023-04-03)
Features:
Added default support for new languages including Arabic, Bangla, Czech, French, Hindi, Indonesian, Japanese, Korean, Dutch, Romanian, Swedish, Chinese Traditional. Used machine translation for all these languages in addition to the existing languages. As these may not always be the best possible translations, any pull requests with improved texts are welcome.
Used embedded resources under texts/resources folder for JSON translation files instead of static web assets under wwwroot/texts as these files are not meant to be directly accessed via web. This will also reduce number of published files, and simplify deployment.
Introduced quick filter option in Translations page to show/hide user translated and text that has any translation in the target language. There are also buttons to export translated values / original values to make translation easier. Each translation resource folder also contains a template JSON file in English language that can be used as source.
ITypeSource may return its assemblies if available via the new IGetAssemblies interface
Introduce LanguageIdKeyPair to use as dictionary key in LocalTextRegistry.
Added IGetAllTexts interface to LocalTextRegistry to return all registered texts
Added ILanguageFallbacks interface for LocalTextRegistry to get/set language fallbacks.
Added initialization support to LocalText directly, so that readonly localtexts can be used in nested text classes without having analyzer warnings
PropertyItemsLocalTextRegistration to register texts defined implicitly via DisplayName, Tab, Category, Hint, Placeholder attributes in Forms/Columns so that they can be seen/translated in Translations page
Also handle Hint, Placeholder, Category, Tab attributes for Row/Entity local text registration
NavigationLocalTextRegistration to register texts for navigation items from attributes
Moved NavigationItemAttribute down to Serenity.Core from Serenity.Web
Site local text package has a default regex that will be included in addition to anything you define in appsettings.bundles.json, so you may remove LocalTextPackages section from your appsettings.json unless you included some additional texts there.
Bugfixes:
Fix fields without displayname attributes are shown with their local text keys in grids/forms. Use the propertyname as implicit display name.
Crash in Arabic culture in the constructor of ScriptCulture
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/dfaruque/Serenity.Extra/network/alerts).
Bumps Serenity.Net.Web from 6.0.8 to 6.7.0.
Changelog
Sourced from Serenity.Net.Web's changelog.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show