Skip to content

20240919: Safety patches

Pre-release
Pre-release
Compare
Choose a tag to compare
@GaiZhenbiao GaiZhenbiao released this 18 Sep 04:47
· 7 commits to main since this release
20240919-4
20b2e02
English Version (Click to expand)

This update brings numerous security bug fixes, and it is recommended for all users to install.

Bug Fixes

  • Added additional checks when creating/deleting history records (@GaiZhenbiao)
  • Added extra checks when loading prompt templates (@GaiZhenbiao)
  • Triggered exceptions if the python multipart boundary is too long to address server crashes with overly long boundaries (@GaiZhenbiao)
  • Added additional checks when deleting history records (@GaiZhenbiao)
  • Introduced a timeout mechanism when searching history records using regex to prevent ReDoS issues (@GaiZhenbiao)
  • Added additional checks when refreshing history records (@GaiZhenbiao)
  • Implemented additional sanitization when uploading history records to resolve potential XSS issues. Furthermore, the method of saving history records has been modified to exclude HTML tags (@GaiZhenbiao)
  • Added checks for username validity when loading history record files (@GaiZhenbiao)
  • Resolved the LFI issue when uploading history file (@GaiZhenbiao)
  • Fixed the issue that any user can restart the service. Added admin_list parameter in the config. (@GaiZhenbiao)
  • Resolved an issue where users could access other users' histories (@GaiZhenbiao, @Keldos-Li)

Miscellaneous

  • Changed the log level of non-existent history records to debug (@GaiZhenbiao)

KNOWN ISSUES

  • LaTeX rendering is disabled due to an issue in Gradio
    LaTeX rendering is disabled due to an issue in Gradio

Full Changelog: 2024091...2024091

这枚更新带来了许多安全bug修复,推荐所有用户安装。

Bug Fixes

  • 在创建/删除历史记录时加入额外的检查 (@GaiZhenbiao)
  • 在加载prompt模板时加入额外的检查 (@GaiZhenbiao)
  • 如果python multipart的边界过长,则触发异常,以解决在超长边界时服务器死机问题 (@GaiZhenbiao)
  • 在删除历史记录时加入额外的检查 (@GaiZhenbiao)
  • 在用正则表达式搜索历史记录时加入超时机制,以避免ReDoS问题 (@GaiZhenbiao)
  • 在刷新历史记录时加入额外的检查 (@GaiZhenbiao)
  • 在上传历史记录时加入额外的清洁,以解决潜在的XSS问题。此外,也修改了保存历史记录的方式,不再包含HTML标签。 (@GaiZhenbiao)
  • 在加载历史记录文件时加入对用户名合法性的检查 (@GaiZhenbiao)
  • 解决上传历史记录时的LFI问题 (@GaiZhenbiao)
  • 解决了任何用户都可以重启服务的问题,只有管理员用户可以重启服务。(@GaiZhenbiao)
  • 解决了用户可能访问其他用户历史记录的问题 (@GaiZhenbiao, @Keldos-Li)

Miscellaneous

  • 将历史记录不存在的日志级别修改为 debug (@GaiZhenbiao)

KNOWN ISSUES

  • 由于 Gradio 的一个问题,LaTeX 渲染被禁用
    LaTeX rendering is disabled due to an issue in Gradio

Full Changelog: 2024091...2024091

Contributors

Keldos-Li and GaiZhenbiao
Assets 2
Loading