v2.8.1: Security Release; Fix GHSA-76c2-66pg-fj2f

📝 What’s Changed

This release fixes GHSA-76c2-66pg-fj2f where previously a malicious user could provide a specific payload to a URL push that can trigger an XSS vulnerability for recipients.

Thanks to @de3erve-hunter for reporting! A CVE has been requested. GHSA-76c2-66pg-fj2f will be updated once the CVE is available.

• Restrict URL push payloads to http and https schemes to fix GHSA-76c2-66pg-fj2f (#4595) @pglombardo

⬆️ Dependencies updates

• ⬆️ Bump google-apis-core from 1.2.3 to 1.2.4 (#4593) @dependabot[bot]
• ⬆️ Bump thruster from 0.1.21 to 0.1.22 (#4594) @dependabot[bot]

👥 List of contributors

@dependabot[bot], @pglombardo and dependabot[bot]

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

1. Point DNS to your server (e.g. pwpush.example.com).
2. Download docker-compose.yml or clone the repo.
3. In docker-compose.yml, uncomment and set:
   • TLS_DOMAIN: 'pwpush.example.com' for automatic Let’s Encrypt TLS.
4. Run:

docker compose up -d

Open https://pwpush.example.com or alternatively http://your-ip:5100.

🔗 Useful Links

• Documentation
• Docker Hub
• GitHub
• pwpush.com
• X
• Facebook
• Reddit
• Newsletter
• Apnotic