Beta Security Release v0.30.7

Dan Brown posted on the 18th of December 2020

In continuation of the patches in v0.30.6, BookStack v0.30.7 has been released to address an issue that could lead to restricted page content being made visible in exports. As with the last release, You should upgrade to this released as soon as possible if you make use of page-level permissions at all. Apologies for the frequency of security releases.

Impact

The content of pages made non-viewable to a user via permissions, within a visible parent, could be seen via the plaintext export option. Before v0.30.6 this would have applied only to scenarios where all pages within the chapter were made non-visible. In v0.30.6 this would make all pages within the chapter visible.

Patches

This has been patched in v0.30.7.

Workarounds

Please update. As a temporary workaround you could make parent chapters/books non accessible.

References

Attribution

A big thanks again to @cdrfun for discovering and reporting this issue.

For more information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack Security Advice to contact someone privately.

Header Image Credits: Photo by Aubrey Odom on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts