Skip to content

@HelloZeroNet HelloZeroNet released this Sep 6, 2019 · 21 commits to py3 since this release

  • Pull down top-right 0 button to show console
  • New UiPluginManager plugin: Manage and install third-party plugins.
  • Full support of OpenSSL 1.1 (Thanks to radfish & imachug)
  • Fix a bug that did not load merged site data for 5 sec after the site got added
  • Add fake SNI and ALPN to peer connections to make it more like standard https connections

Important security update:

Wrapper template HTML injection vulnerability [Reported by ivanq]

In ZeroNet before rev4188 the wrapper template variables was rendered incorrectly.

Result: The opened site was able to gain WebSocket connection with unrestricted ADMIN/NOSANDBOX access, change configuration values and possible RCE on the client's machine.

Fix: Fixed the template rendering code, disallowed WebSocket connections from unknown locations,
restricted open_browser configuration values to avoid possible RCE in case of sandbox escape.

Assets 2
You can’t perform that action at this time.