v3.0.6
Changelog for reva 1.20.0 (2022-11-24)
The following sections list the changes in reva 1.20.0 relevant to
reva users. The changes are ordered by importance.
Summary
- Sec cs3org#3316: Mitigate XSS
- Fix cs3org#3455: Fixes panic in case of empty configuration
- Fix cs3org#3311: Remove FIXME
- Fix cs3org#3396: Fix the Ceph Docker image repository URL
- Fix cs3org#3055: Fix quota for LW accounts
- Fix cs3org#3361: Use custom reva logger in ocs
- Fix cs3org#3344: Fix quota percentage
- Fix cs3org#2979: Removed unused datatx code
- Fix cs3org#2973: Fix datatxtarget uri when prefix is used
- Fix cs3org#3319: Fix oidc provider crash when custom claims are provided
- Fix cs3org#3481: OIDC: resolve users with no uid/gid by username
- Fix cs3org#3055: Get user from user provider in oidc driver
- Fix cs3org#3053: Temporary read user acl instead of sys acl
- Enh cs3org#3401: Make WOPI bridged apps (CodiMD) configuration non hard-coded
- Enh cs3org#3402: Block users
- Enh cs3org#3098: App provider http endpoint uses Form instead of Query
- Enh cs3org#3116: Implementation of cback storage driver for REVA
- Enh cs3org#3422: Migrate Codacy from Drone to Codacy/GitHub integration
- Enh cs3org#3412: Migrate Fossa from Drone to Github Integration
- Enh cs3org#3367: Update go version
- Enh cs3org#3467: Enable gocritic linter in golangci-lint and solve issues
- Enh cs3org#3463: Enable gofmt linter in golangci-lint and apply gofmt
- Enh cs3org#3471: Enable goimports and usestdlibvars in golangci-lint
- Enh cs3org#3466: Migrate golangci-lint from Drone to GitHub Actions
- Enh cs3org#3465: Enable revive linter in golangci-lint and solve issues
- Enh cs3org#3487: Enable staticcheck linter in golangci-lint and solve issues
- Enh cs3org#3475: Enable the style linters
- Enh cs3org#3070: Allow http service to expose prefixes containing /
- Enh cs3org#2986: Better display name in apps for all user types
- Enh cs3org#3303: Added support for configuring language locales in apps
- Enh cs3org#3348: Revamp lightweigth accounts
- Enh cs3org#3304: Add http service to send email for shares
- Enh cs3org#3072: Mesh meta data operators
- Enh cs3org#3313: Fix content-type for OCM sharing
- Enh cs3org#3234: Add post create home hook for eos storage driver
- Enh cs3org#3347: Implemented PROPFIND with 0 depth
- Enh cs3org#3056: Add public share auth provider
- Enh cs3org#3305: Add description to public link
- Enh cs3org#3163: Add support for quicklinks for public shares
- Enh cs3org#3289: Make Refresh Lock operation WOPI compliant
- Enh cs3org#3315: Accept reva token as a bearer authentication
- Enh cs3org#3438: Sanitize non-utf8 characters in xattr values in EOS
- Enh cs3org#3221: Site Accounts improvements
- Enh cs3org#3404: Site accounts & Mentix updates
- Enh cs3org#3424: Expire tokens on sunday
- Enh cs3org#2986: Use email as display name for external users opening WOPI apps
Details
-
Security cs3org#3316: Mitigate XSS
We've mitigated an XSS vulnerability resulting from unescaped HTTP responses containing
user-provided values in pkg/siteacc/siteacc.go and
internal/http/services/ocmd/invites.go. This patch uses html.EscapeString to escape the
user-provided values in the HTTP responses of pkg/siteacc/siteacc.go and
internal/http/services/ocmd/invites.go. -
Bugfix cs3org#3455: Fixes panic in case of empty configuration
Makes sure the config map is allocated prior to setting it
-
Bugfix cs3org#3311: Remove FIXME
Issue cs3org#2402 is closed.
-
Bugfix cs3org#3396: Fix the Ceph Docker image repository URL
-
Bugfix cs3org#3055: Fix quota for LW accounts
LW accounts do not have quota assigned.
-
Bugfix cs3org#3361: Use custom reva logger in ocs
-
Bugfix cs3org#3344: Fix quota percentage
-
Bugfix cs3org#2979: Removed unused datatx code
An OCM reference is not created for a data transfer type share.
-
Bugfix cs3org#2973: Fix datatxtarget uri when prefix is used
When a webdav prefix is used it appears in both host and name parameter of the target uri for data
transfer. This PR fixes that. -
Bugfix cs3org#3319: Fix oidc provider crash when custom claims are provided
-
Bugfix cs3org#3481: OIDC: resolve users with no uid/gid by username
Previously we resolved such users (so called "lightweight" or "external" accounts in the CERN
realm) by email, but it turns out that the same email may have multiple accounts associated to
it.Therefore we now resolve them by username, that is the upn, which is unique.
-
Bugfix cs3org#3055: Get user from user provider in oidc driver
For oidc providers that only respond with standard claims, use the user provider to get the
user. -
Bugfix cs3org#3053: Temporary read user acl instead of sys acl
We read the user acl in EOS until the migration of all user acls to sys acls are done
-
Enhancement cs3org#3401: Make WOPI bridged apps (CodiMD) configuration non hard-coded
The configuration of the custom mimetypes has been moved to the AppProvider, and the given
mimetypes are used to configure bridged apps by sharing the corresponding config item to the
drivers. -
Enhancement cs3org#3402: Block users
Allows an operator to set a list of users that are banned for every operation in reva.
-
Enhancement cs3org#3098: App provider http endpoint uses Form instead of Query
We've improved the http endpoint now uses the Form instead of Query to also support
application/x-www-form-urlencodedparameters on the app provider http endpoint. -
Enhancement cs3org#3116: Implementation of cback storage driver for REVA
This is a read only fs interface.
-
Enhancement cs3org#3422: Migrate Codacy from Drone to Codacy/GitHub integration
-
Enhancement cs3org#3412: Migrate Fossa from Drone to Github Integration
-
Enhancement cs3org#3367: Update go version
Update go version to 1.19 in go.mod
-
Enhancement cs3org#3467: Enable gocritic linter in golangci-lint and solve issues
-
Enhancement cs3org#3463: Enable gofmt linter in golangci-lint and apply gofmt
-
Enhancement cs3org#3471: Enable goimports and usestdlibvars in golangci-lint
We've enabled the goimports and usestdlibvars linters in golangci-lint and solved the
related issues. -
Enhancement cs3org#3466: Migrate golangci-lint from Drone to GitHub Actions
-
Enhancement cs3org#3465: Enable revive linter in golangci-lint and solve issues
-
Enhancement cs3org#3487: Enable staticcheck linter in golangci-lint and solve issues
-
Enhancement cs3org#3475: Enable the style linters
We've enabled the stylecheck, whitespace, dupword, godot and dogsled linters in
golangci-lint and solved the related issues. -
Enhancement cs3org#3070: Allow http service to expose prefixes containing /
-
Enhancement cs3org#2986: Better display name in apps for all user types
This includes a
FirstName FamilyName (domain)format for non-primary accounts, and a
sanitization of the email address claim for such non-primary accounts. -
Enhancement cs3org#3303: Added support for configuring language locales in apps
This is a partial backport from edge: we introduce a language option in the appprovider, which
if set is passed as appropriate parameter to the external apps in order to force a given
localization. In particular, for Microsoft Office 365 the DC_LLCC option is set as well. The
default behavior is unset, where apps try and resolve the localization from the browser
headers. -
Enhancement cs3org#3348: Revamp lightweigth accounts
Re-implements the lighweight account scope check, making it more efficient. Also, the ACLs
for the EOS storage driver for the lw accounts are set atomically. -
Enhancement cs3org#3304: Add http service to send email for shares
-
Enhancement cs3org#3072: Mesh meta data operators
To better support sites that run multiple instances, the meta data have been extended to
include a new hierarchy layer called 'operators'. This PR brings all necessary changes in the
Mentix and site accounts services. -
Enhancement cs3org#3313: Fix content-type for OCM sharing
This fix change the content type to just "application/json"
-
Enhancement cs3org#3234: Add post create home hook for eos storage driver
-
Enhancement cs3org#3347: Implemented PROPFIND with 0 depth
-
Enhancement cs3org#3056: Add public share auth provider
Add a public share auth middleware
-
Enhancement cs3org#3305: Add description to public link
-
Enhancement cs3org#3163: Add support for quicklinks for public shares
-
Enhancement cs3org#3289: Make Refresh Lock operation WOPI compliant
We now support the WOPI compliant
UnlockAndRelockoperation. This has been implemented in
the Eos FS. To make use of it, we need a compatible WOPI server.cs3org#3289
https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/rest/files/unlockandrelock -
Enhancement cs3org#3315: Accept reva token as a bearer authentication
-
Enhancement cs3org#3438: Sanitize non-utf8 characters in xattr values in EOS
-
Enhancement cs3org#3221: Site Accounts improvements
The site accounts admin panel has been reworked and now also shows which sites aren't
configured properly yet. Furthermore, a bug that prevented users from changing site
configurations has been fixed. -
Enhancement cs3org#3404: Site accounts & Mentix updates
Some small improvements to the Site Accounts and Mentix services, including normalization of
data exposed at the/cs3endpoint of Mentix. -
Enhancement cs3org#3424: Expire tokens on sunday
-
Enhancement cs3org#2986: Use email as display name for external users opening WOPI apps
We use now the email claim for external/federated accounts as the
usernamethat is then
passed to the wopiserver and used asdisplayNamein the WOPI context.