Zotonic is the content management system and framework for semantic data and high connectivity web sites.
This is a maintenance release. All important changes are also done on the master branch for the 1.x version.
Main changes are:
- Security fixes by extra sanitization of redirect URLs in authentication and language switching
- Fix an information leak about possible usernames by adding more constant time password checks, even if there is no valid user.
- Update of jquery ui to 1.13.
- Show 2FA status in the user overview in the admin.
- Remove the APIs /api/base/persistent_get and /api/base/persistent_put.
- Option to add a SEO noindex to all pages of a certain category.
The persistent APIs are removed, as they could be used to store information on the server by anonymous users.
With the configuration key
site.email_images_noembed it is possible to disable the embedding of
images in emails. If this key is set to true value then the images will be URLs and downloaded from
the webserver when the email is viewed.
This results in smaller emails, but the images might not be viewed by the recipient (as some email
agents don’t show image by default).
Colin de Roos (1):
- Check for empty search string (#3074)
Marc Worrell (34):
- mod_seo: add all available hreflang and x-default links to head. (#3066)
- Set Docker files to Erlang 21.3
- Dockerfile: update keys
- Docker: add oidcc for docker images.
- docs: add note in search.rst about difference in syntax between tpl and stored query
- core: in emails, only embed images < 1MB. (#3082)
- core: fix site.email_images_noembed check
- core: fix an issue where the search_result page count was off by one.
- core: fix a problem where a search could result in illegal SQL
- Add ‘delete username’ button to change pw dialog (#3037)
- core: add option to exclude categories from the SEO indexing.
- Set docs ubuntu version to 20.04 - as 18.04 is being deprecated
- GH Action docs: upgrade ubuntu and python
- Add translations
- Update po files
- mod_base: upgrade jquery-ui to 1.13.1
- Merge pull request #3092 from zotonic/jquery-ui-1.13-0x
- Merge pull request #3089 from zotonic/seo-noindex-cat-0x
- Fix po files
- mod_base: add option to controller_template to set the http status code (0.x) (#3094)
- mod_menu: filter menu_is_visible now also checks for exists.
- mod_base: remove persistent_get and persistent_set services. Fix #3103 (#3104)
- core: add timer on pw checks against timing attacks for finding valid usernames (0.x) (#3097)
- mod_video: escape filename for ffmpeg preview cmd (#3114)
- mod_base: more restrictive CSP header in controller_file (0.x) (#3108)
- Filter the redirect args of logon/logoff to ensure that it is a local redirect (#3096)