HedgeDoc 1.8.0
This release fixes multiple security issues. We recommend upgrading as soon as possible.
Please note: This release dropped support for Node 10, which is end-of-life since April 2021. You now need at least Node 12 to run HedgeDoc, but we recommend running the latest LTS release.
Security Fixes
- CVE-2021-29474: Relative path traversal Attack on note creation
- CVE-2021-21306: Underscore ReDoS in the
marked
library
This issue allowed an attacker to hang HedgeDoc by inserting a malicious string into a note. Thanks to Ralph Krimmel for reporting!
We also published an advisory for CVE-2021-29475: PDF export allows arbitrary file reads,
which has already been fixed since HedgeDoc 1.5.0.
Features
- Database migrations are now automatically applied on application startup
The separate.sequelizerc
configuration file is no longer necessary and can be safely deleted - A Prometheus-endpoint is now available at
/metrics
, exposing the same stats as/status
in addition to various Node.js performance figures - Add a config option to require authentication in FreeURL mode (#755 by @nidico)
Enhancements
- Removed dependency on external imgur library
- HTML language tags are now set up in a way that stops Google Translate from translating note contents while editing
- Removed
yahoo.com
from the default content security policy - New translations for Bulgarian, Persian, Galician, Hebrew, Hungarian, Occitan and Brazilian Portuguese
Updated translations for Arabic, English, Esperanto, Spanish, Hindi, Japanese, Korean, Polish, Portuguese, Turkish and Traditional Chinese
Thanks to all translators! - Various dependency updates
Bugfixes
- Improve readability of diagrams & embeddings in night-mode
- Use the default template for new notes in FreeURL mode
- Fix frontend-crash in slide-mode if no
slideOptions
are present in the frontmatter - Return 404 on the
/download
route for non-existent notes in FreeURL mode - Properly clean up the UNIX socket on application exit
- Don't overwrite existing notes on POST-requests to
/new/<alias>
in FreeURL mode
Contributors
- Amit Upadhyay (translator)
- Atef Ben Ali (translator)
- Edi Feschiyan (translator)
- Gabriel Santiago Macedo (translator)
- Longyklee (translator)
- Nika. zhenya (translator)
- Nicolas Dietrich
- Nis (translator)
- rogerio-ar-costa (translator)
- sanami (translator)
- Tom Dereszynski (translator)
- 상규 (translator)
- uıʞǝʇuɐϽ (translator)
- UwYFmLpoKtYn (translator)