Pre-release

@nilsteampassnet nilsteampassnet released this Oct 12, 2017 · 275 commits to master since this release

Assets 2

Refer to changelog file to know main changes in Release 2.1.27.

New during upgrade

When upgrading, you need to indicate a valid administrator name/password, and you will also need to copy the saltkey into a password filed. It will be saved inside your database.
No database data are shown anymore. If the database information are changing, you need to update the file /includes/config/settings.php before starting upgrade.
IMPORTANT NOTE for users that have migrated to 2.1.27.0 and that have file encryption option enabled

Files encryption process have completely being reworked. Before upgrading, please do the next:

open upload folder
copy existing files in a temporary folder
restore the files from a backup of a previous version (for example 2.1.26)
start upgrade

Newly introduced since 2.1.27.9

Fixed a possible XSS (credit to ADLab of Venustech)
Improved security related to User Management
> a manager could potentially act on users not related to him
Improved security related to Items Management
> a user could potentially act on Items he should not have access to
Securized script.backup.php by adding a security key
Fixed some other security failures (credit to ​security at Amossys)
Improved security regarding uploading files
Fixed issue while restoring DB from administration page
Fixed "PW copy to clipboard" log unconsistency in specific case
Improved / Fixed administration task for encrypting/decrypting files
Improved security regarding item history display
Improved the possibility to define the access level on Roles when creating new folder
Added filter in Roles
New: confirm deletion of attachment
#1965 Login credentials do not correspond (json_decode issue)
#1964 Make email field in new LDAP user insertion null safe
#1961 After fresh installation the index.php shows random string
#1956 Warning appears on Category and API pages in admin mode
#1947 Dependency & array update in install checks
#1945 Cannot delete items
#1944 File upload results in error
#1941 Visualisation problems

Newly introduced since 2.1.27.8

Delete install folders and files during installation process
Custom Field value can be masked
Database password is encrypted in settings.php file
PHPMailer library updated to 5.2.23
TwoFactorAuth library was updated
Configuration variables are not set in SESSION anymore. Now read from tp.config.php file.
Fix: issue on offline export
Fix: error on deleting a folder at root
#1939 Unable to change page (role management)
#1937 Error while using script.backup.php in standalone
#1935 Add folder results in Requested JSON parse failed
#1933 Trying to move folder results in error message
#1932 Keepass upload fails
#1927 Changing language is not possible for users
#1924 Moving items give error: Requested JSON parse failed
#1923 Red wheel keeps turning, blocks display of new items
#1919 Upgrade to release 2.1.27.8 converts encrypted database password back to clear-text
#1915 Cannot Edit or Delete items in the Personal folder
#1909 Roles Management - Problem with acess rights "Edit" "Delete"
#1903 SSH Password Change does not work
#1900 Forgot your password --> Page reload automatic
#1891 Install error - Uncaught Defuse\Crypto\Exception\BadFormatException: Encoded data is shorter than expected
#1899 Active Directory authentication not working on fresh installed Cent OS 7
#1890 access rights in manage roles
#1888 Export to CVS --> empty file (0 kb)
#1886 JSON Error when importing with an apostrophe (‘)
#1885 Undefined index: SSL_SERVER_CERT
#1884 Cannot delete custom fields - hangs indefinitely after confirm with spinning gear
#1882 Can't see any entry on any folder, using any account
#1881 Doesn't auto-delete install/ folder after installation completed
#1880 Custom Fields, Not encrypted/decrypted when toggled in Custom-Field Settings Screen
#1872 New Admin User login not working -JSON Parse file failure
#1870 Logic issue in headers sending
#1866 CSV import with empty url leads to value 0
#1862 Import from Keepass.xml to Personalfolder no access to Item
#1857 API: Folders created at level 0 instead of correct level
#1856 Robustified tp.config.php creation in case of upgrade
#1851 Fix ldap suffix
#1850 Missing iconv in Docker
#1840 Added the "download" attribute
#1837 JSON error in Find page when user has no folders to browse
#1834 Typo in sources/main.functions.php
#1833 Opening a one time view page give a notice: A session had already been started...
#1830 Salt key field has already a character filled in.
#1829 Attachments is broken after upgrade from 2.1.27.0. Fix in progress
#1828 No error message when duplicate item names at personal keys
#1826 New dockerfile and docker-compose.yml
#1820 group vertical scroll bar not work correctly
#1819 Fix for QR sending from login page

Main changes in 2.1.27

New: Custom Fields are only visible if defined
Fix issue in tree if subfolder is visible while parent is not
Fix issues regarding DUOSecurity
Fix upgrade doesn't start in case that sk.php file has moved
Fix for Custom Fields not displayed as defined by order field
Secure fixes
Session increase time feature is now increasing with the expected user session duration
Default language cannot be changed fix
Fix for "hide not accessible folders" option
New Defuse Encryption implemented in place of phpCrypt
NEW AGSES authentication implemented
NEW Custom Fields data can be encrytped or not in database
NEW Folder copy feature
NEW Mass move or delete operation on Items
NEW Item change proposal
IMP Implemented new session encryption library SecureHandler (getting rid of mcrypt extension)
IMP Language selection is now in User Profile (Default language is used on authentication page)
IMP User creation dialogbox improved with all user properties
IMP New user login availability is checked "live"
IMP Filtering counters in datatables
IMP Users Management dialogbox improved
IMP 2FA authentication change to improve security (no call to external QR generator)
UPD AES library updated
FIX "Find" feature: copy from public to personal folder, and list of folders is refreshed when copying an Item
Fix: Prevent moving a folder to one of its child folder
New: Multiselection in Roles vs Folders matrix
New: LDAP configuration test mode (in progress)
Fix: Global saltkey change
Fix: Copy folder does'nt copy included items
Fix: Encrypt/Decrypt attachments feature from admin page

#1806
#1796 Can't add folder from API
#1787 email notifications are not sent if there are any admins with empty email address
#1776 Allow restricting items to users and roles - Wrong Item Owner
#1775 Can not decrypt a created crypted Backup - Improved encryption with Defuse
#1774 Announce this Item by email
#1769 Installation issue - no admin account is created
#1762 Share user rights works backwards
#1761 Reset of my Personal Saltkey
#1743 Enable anonymous LDAP queries
#1690 Unable to set/save personal salt key with LDAP user
#1742 Fix for issue #1539 verifying LDAP groups properly
#1740 Missing buttons on Users page
#1737 Cannot import files
#1735 Dockerfile - PHP extension "curl" is loaded Extension curl is not loaded
#1733 Copy Item doesn't work if copy from public to public folders
#1731 Cannot login in after fresh install
#1729 Protection against bigger data than database field size
#1727 Cannot edit or delete entry in the Personal folder
#1725 Some fixes
#1723 Fix spin not removed while reseting user saltkey
#1722 SELinux issue leads to upload impossible
#1718 Moving a folder to itself
#1717 After deleting a folder, items are still visible in search page
#1713 Doubleclick on directory shows items twice
#1710 Error on psk change
#1709 Missing field in table on fresh install
#1707 "Restricted To" not working correctly when creating new items
#1706 User can edit & delete items without rights
#1696 Fix for no log for OTV
#1695 Manager can create folder at root from Items pas
#1686 Fix for item History dialogbox
#1685 Fix in Portuguese file
#1684 Estonian language still missing
#1679 Sort by don't work in Utilities/logs
#1676 Pre-auth XSS in index.php
#1674 name and lastname are changed on other user edit
#1672 Anonymous settings not stored
#1670 Incremental upgrade not active
#1669 Logout - Errors
#1668 File encryption is not correct in case of upgrade
#1666 Can`t set avatar
#1662 Can not delete folders
#1659 Third level of sub folders in the Personal folder are not seen
#1654 User management page - no "next" button
#1635 New folder inheritance of parent specific settings
#1631 Error could be appear on upgrade when checking folders and files
#1628 URL link to specific item does not work
#1627 Improved label preview length
#1625 Request to add/change password
#1624 Error 500 while importing item with API (with PHP < 7)
#1621 New option: OTV can be disabled
#1620 Direct copy password from seach results and large folders
#1616 Cannot show password with IE11
#1614 Generate personal folders sets regular root folders also as personal
#1608 All folders are deleted
#1603 Attached files disappears
#1601 Time zone can't be saved in My Profile
#1593 Insert duplicate label with API
#1592 Show Client IP in mail to admin about logged on users
#1588 Fix for OTV links
#1587 fix for e-mail to administrator on logon does not work
#1581 Fix for new folder Custom Fields inheritance
#1579 Fix for preventing a php fatal error
#1575 Fix for tree not loaded when user has no access to a folder with children
#1571 Drag and drop from PF to public folder makes item password corrupted
#1571 Create an item inside another folder than the one selected
#1561 Personal folder deletion deletes all
#1559 API IP Whitelist check does not consider XFF
#1556 Fix bug for upgrading old passwords
#1553 LDAP support - Add LDAP port - Add support multi LDAP server
#1551 Authentication through LDAP posix-search
#1550 2 Factor enabled but can still log in without code
#1549 Read Only users can use Personal Folders
#1543 Wrong Saltkey message after setting
#1533 The change of the main SALT Key doesn't work
#1532 Added error message in install.js if db-pw contains double quotes
#1531 Database otv table originator field should be int instead of tinyint
#1514 User language selection is done in Profile dialogbox
#1474 New option: create an item without password
#1472 "folder access" and "role" settings when adding new user + propage rights from one user
#1464 CSV files broken, html entities not decoded, newlines not stripped
#1422 Folders deletion protocol has been securized to prevent unconsistencies in folders tree
#1412 New option: Manager can move items they can view
#1408 Display folders visible by a user
#1299 Export to pdf or csv shows htmlencoded