Skip to content

2026.06.03

Choose a tag to compare

View all tags
@smgdkngt smgdkngt released this 03 Jun 08:44
· 3 commits to main since this release
2026.06.03
52dd18d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

  • Fix stored DOM-XSS in the public shared-folder image gallery (GHSA-m95v-4xq6-grhg, CWE-79). A file name was round-tripped through data-name and re-injected into innerHTML by the public gallery's lightbox, so a crafted filename executed JavaScript for any unauthenticated visitor to a /s/<token> share who clicked a thumbnail. The lightbox now builds nodes via DOM APIs (.src/.alt/textContent), which never parse HTML. (#62)
  • Content-Security-Policy is now enforced (previously report-only) as defense-in-depth. All inline on*= handlers were converted to Stimulus controllers (mail_bulk, recovery_code, and the existing clipboard). (#62)

Reported by tonghuaroot (童话).

Dependencies (#63)

  • puma 8.0.1 → 8.0.2
  • jbuilder 2.15.0 → 2.15.1
  • solid_cable 3.0.12 → 4.0.0 (major — requires Ruby 3.3+, no schema or cable.yml changes)
  • transitive: psych, zeitwerk, json, irb

bundler-audit: no known vulnerabilities.

Assets 2
Loading