|
|
|
@ -1,3 +1,46 @@ |
|
|
|
|
Version 2.0.43 (March 16, 2023) |
|
|
|
|
------------------------------- |
|
|
|
|
|
|
|
|
|
* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592) |
|
|
|
|
|
|
|
|
|
Creating an RSS feed item with the inline description containing an `<img>` tag |
|
|
|
|
with a `srcset` attribute pointing to an invalid URL like |
|
|
|
|
`http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error |
|
|
|
|
condition where the invalid URL is returned unescaped and in full. |
|
|
|
|
|
|
|
|
|
This results in JavaScript execution on the Miniflux instance as soon as the |
|
|
|
|
user is convinced to open the broken image. |
|
|
|
|
|
|
|
|
|
* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591) |
|
|
|
|
|
|
|
|
|
HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As |
|
|
|
|
such, it cannot be used to test if the client IP is allowed. |
|
|
|
|
|
|
|
|
|
The recommendation is to use HTTP Basic authentication to protect the |
|
|
|
|
metrics endpoint, or run Miniflux behind a trusted reverse-proxy. |
|
|
|
|
|
|
|
|
|
* Add HTTP Basic authentication for `/metrics` endpoint |
|
|
|
|
* Add proxy support for several media types |
|
|
|
|
* Parse feed categories from RSS, Atom and JSON feeds |
|
|
|
|
* Ignore empty link when discovering feeds |
|
|
|
|
* Disable CGO explicitly to make sure the binary is statically linked |
|
|
|
|
* Add CSS classes to differentiate between category/feed/entry view and icons |
|
|
|
|
* Add rewrite and scraper rules for `blog.cloudflare.com` |
|
|
|
|
* Add `color-scheme` to themes |
|
|
|
|
* Add new keyboard shortcut to toggle open/close entry attachments section |
|
|
|
|
* Sanitizer: allow `id` attribute in `<sup>` element |
|
|
|
|
* Add Indonesian Language |
|
|
|
|
* Update translations |
|
|
|
|
* Update Docker Compose examples: |
|
|
|
|
- Run the application in one command |
|
|
|
|
- Bring back the health check condition to `depends_on` |
|
|
|
|
- Remove deprecated `version` element |
|
|
|
|
* Update scraping rules for `ilpost.it` |
|
|
|
|
* Bump `github.com/PuerkitoBio/goquery` from `1.8.0` to `1.8.1` |
|
|
|
|
* Bump `github.com/tdewolff/minify/v2` from `2.12.4` to `2.12.5` |
|
|
|
|
* Bump `github.com/yuin/goldmark` from `1.5.3` to `1.5.4` |
|
|
|
|
* Bump `golang.org/x/*` dependencies |
|
|
|
|
|
|
|
|
|
Version 2.0.42 (January 29, 2023) |
|
|
|
|
--------------------------------- |
|
|
|
|
|
|
|
|
|