3.1.0.beta2: Security fixes, new API scopes and more

This beta includes several security fixes for issues reported by our community and HackerOne. It also includes improvements to API scopes.

Security

  • Prevent XSS in local oneboxes (CVE-2023-22468)
  • Exclude_tags param could leak which topics had a specific hidden tag (CVE-2023-23624)
  • Only show restricted tag lists to authorized users (CVE-2023-23620)
  • Prevent ReDoS in user agent parsing (CVE-2023-23621)
  • Prevent ReDOS by making the SSH url regex unambiguous (CVE pending)
  • Remove bypass for base_url (CVE-2023-23615)
  • Limit the character count of group membership requests (CVE-2023-23616)
  • Limit the length of drafts (CVE-2023-22739)
  • Limit chat drafts length and preloaded count (CVE-2023-22740)
  • Bump Rails to v7.0.4.1 (see rubyonrails.org announcement)
  • Default tags to show count of topics in unrestricted categories (CVE pending)

New Features

  • Add API scopes for suspending users, creating invites, searching
  • Add better TikTok onebox support
  • Allow admins to permanently delete revisions
  • Add setting that allows TL4 users to deleted posts
  • Allow TL4 users to see unlisted topics
  • Show more context in Discourse-to-Discourse topic oneboxes

Additional Features and Fixes

Click to expand
  • Allow changing slug on chat create channel
  • Introduce pg_force_readonly_mode GlobalSetting
  • Add in:polls filter to search
  • Add rake task to mark old hashtag format for rebake
  • Verify email webhook signatures
  • Extend topic update API scope to allow status updates
  • Raise redirect avatar cache to 1 day
  • Add basic instrumentation to defer queue
  • Allow group owners promote more owners

Bug Fixes

  • Lazy_yt_enabled doesn’t affect the engine
  • Delete reviewables associated to posts automatically
  • Text selection breaks opening of links in new tabs
  • Do not add empty use/svg tags in ExcerptParser
  • Skip email if blank while syncing SSO attributes.
  • TL4 user is not redirected to latest when delete topic
  • Do not count deleted post for upload ref security
  • Adds negative skidding to popper offset
  • Data-popper-reference-hidden too broad
  • Fix margin on mini-tag-chooser
  • Prevents msg-actions to show hover text
  • Generates automatic slug for trashed channels
  • TL4 user can see deleted topics
  • Allow modals to scroll on mobile when keyboard is open
  • Don’t display staff-only options to non-staff in group member bulk menu
  • Move min tag setting to tags section in edit category
  • Deleted misconfigured embeddable hosts
  • Query UploadReference in UploadSecurity for existing uploads
  • Switch email domain site settings type to host_list
  • Do not override channel name when category selected
  • Enqueue notify_mailing_list_subscribers when post is recovered
  • Change wording from title ->` name in channel about page
  • New hashtag support for narrative bot advanced narrative
  • Restore class-property babel transform for themes
  • Validate tags parameter of TopicQuery
  • Display Discourse onebox tag icon properly in chat
  • Fix incorrect hashtag setting migration
  • Use hashtags in channel archive PMs if available
  • Add migration to reindex invalid indexes
  • Ensure poll extraction is not attempted if post body is absent
  • Preload user sidebar attrs when ?enable_sidebar=1
  • Prevent concurrent updates to top_topics
  • Ruby 2 backward compatible plugin logout redirect
  • Fix flaky test resulting from PostAlerter keyword arguments
  • Regression in TopicTrackingState MessageBus message scope.
  • Improve error reporting and failure modes for channel archiving

UX Changes

  • Remove extra whitespace in search helper
  • Prevent user card status overflow
  • Improve bulk button layout and alignment
  • Fixes and adjustments for user nav
  • Set penalty history to sticky
  • Hide date in timeline when wrapping
  • Remove left margin
  • Add margin to search keyword
  • Switch categories-boxes layouts from flexbox to grid
  • Prevent search context btn text from wrapping
  • Add missing space and other minor search adjustments
  • Reorders chat-channel fields
  • Restyle quote/share popup, fix hover jitter
  • Refactor alignment of tag icon in Discourse onebox
  • Fix alignment issues with autocomplete
  • Streamline avatar in topic list

Performance

  • Don’t parse posts for mentions when user status is disabled
  • N+1 queries when viewing tags

Accessibility

  • Discourse-tags should have a role and label
  • Add aria-labels for flagging textareas
  • Remove heading tags from user profile
  • Add secondary skip link to user profiles
  • More descriptive user page titles
  • Add aria tags to the new user nav
11 Likes

But wait, there’s more!

We do our best to highlight new features and changes for you, but there’s always too many changes to describe. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements

discourse-animated-avatars

Bug Fixes
  • Default user serializer animated avatar to nil

discourse-assign

New Features
  • Automatically open assignee chooser
  • Show user status when search assignees

discourse-calendar

New Features
  • Add minimal option to events
Bug Fixes
  • The event doesn’t load after creating it
  • Add missing translation for event reminder push notification title

discourse-characters-required

Bug Fixes
  • Component import

discourse-code-review

Bug Fixes
  • Allow diff with first commit
  • Skip irrelevant PR events

discourse-encrypt

Bug Fixes
  • Broken mention lookup

discourse-prometheus-alert-receiver

Performance
  • Remove open/firing alerts query that is no longer used client side.

discourse-zendesk-plugin

UX Changes
  • Improve setting names and descriptions
6 Likes