3.0.1: Security and bug fixes

Discourse 3.0.1 Stable Release

Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.

Changes

Security

  • Prevent XSS in local oneboxes (CVE-2023-22468)
  • Exclude_tags param could leak which topics had a specific hidden tag (CVE-2023-23624)
  • Only show restricted tag lists to authorized users (CVE-2023-23620)
  • Prevent ReDoS in user agent parsing (CVE-2023-23621)
  • Prevent ReDOS by making the SSH url regex unambiguous (CVE pending)
  • Remove bypass for base_url (CVE-2023-23615)
  • Limit the character count of group membership requests (CVE-2023-23616)
  • Limit the length of drafts (CVE-2023-22739)
  • Limit chat drafts length and preloaded count (CVE-2023-22740)
  • Bump Rails to v7.0.4.1 (see rubyonrails.org announcement)
  • Default tags to show count of topics in unrestricted categories (CVE pending)

Bug Fixes

  • Text selection breaks opening of links in new tabs
  • Do not add empty use/svg tags in ExcerptParser
  • Skip email if blank while syncing SSO attributes.
  • TL4 user is not redirected to latest when delete topic
  • Do not count deleted post for upload ref security
  • Adds negative skidding to popper offset
  • Data-popper-reference-hidden too broad
  • Fix margin on mini-tag-chooser
  • Prevents msg-actions to show hover text
  • Generates automatic slug for trashed channels
  • TL4 user can see deleted topics
  • Allow modals to scroll on mobile when keyboard is open
  • Don’t display staff-only options to non-staff in group member bulk menu
  • Move min tag setting to tags section in edit category
  • Deleted misconfigured embeddable hosts
  • Query UploadReference in UploadSecurity for existing uploads
  • Switch email domain site settings type to host_list
  • Do not override channel name when category selected
  • Enqueue notify_mailing_list_subscribers when post is recovered
  • Change wording from title ->` name in channel about page
  • New hashtag support for narrative bot advanced narrative
  • Validate tags parameter of TopicQuery
  • Fix incorrect hashtag setting migration
  • Use hashtags in channel archive PMs if available
  • Add migration to reindex invalid indexes
  • Ensure poll extraction is not attempted if post body is absent
  • Preload user sidebar attrs when ?enable_sidebar=1
  • Prevent concurrent updates to top_topics
  • Ruby 2 backward compatible plugin logout redirect
  • Fix flaky test resulting from PostAlerter keyword arguments
  • Improve error reporting and failure modes for channel archiving
  • Regression in TopicTrackingState MessageBus message scope. (#19835)
10 Likes