Skip to content

v3.1.12

Choose a tag to compare

View all tags
@Erikmitk Erikmitk released this 02 May 12:30
· 50 commits to kitodo-publication-3x since this release
v3.1.12
48daf97
This commit was signed with the committer’s verified signature.
Erikmitk Erik Sommer
GPG key ID: 90793A0289E87402
Verified
Learn about vigilant mode.

Performance

  • Reduce Fedora round trips for attachment requests: SLUB-INFO was fetched twice per request (access check + filename generation) — now fetched once and reused
  • Cache SLUB-INFO and MODS datastreams in Redis DB 4 alongside existing METS cache (same TTL and config)
  • Extend cache invalidation to cover slub-info:{pid} and mods:{pid} keys on document update/delete
  • Add explicit 90s timeout to all internal Fedora file_get_contents() calls
  • Switch get_headers() calls to HEAD method to avoid discarding response body

Security

  • Fix XPath injection in SLUB-INFO downloadable check: $dsid (user-supplied attachment parameter) was interpolated directly into XPath query string, allowing bypass of per-file access control. Logic extracted to SlubInfoHelper::isDownloadable() with PHP-level string comparison instead
  • Add format validation for qid (Fedora PID) and attachment (datastream ID) parameters at API entry point — rejects malformed input before any URL construction or cache key use
  • Use hash_equals() for deliverInactive secret key comparison (timing-safe)
Assets 2
Loading