Difference between revisions of "EPrints 3.4.2"
|  (Added LWP::Protocol::https dependency) |  (Added publication version number) | ||
| (50 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | {{releasenotes}} | |
| − | ==  | + | == Release Notes == | 
| + | EPrints 3.4.2 is now available from [https://files.eprints.org/2500 files.eprints.org] and [https://github.com/eprints/eprints3.4/releases/tag/v3.4.2 GitHub]. | ||
| + | * '''Zero codename:''' ''Blueberry Muffin Derecho''  | ||
| + | * '''Publication flavour codename:''' ''Pecan Pie Huaico (1.2)''  | ||
| === New Dependencies === | === New Dependencies === | ||
| − | Dependencies can be installed as RPMs (yum install PACKAGE), DEBs (apt-get install PACKAGE) or CPAN (cpan MODULE). | + | Dependencies can be installed as RPMs (<tt>yum install ''PACKAGE''</tt>), DEBs (<tt>apt-get install ''PACKAGE''</tt>) or CPAN (<tt>cpan ''MODULE''</tt>).  Perl's <code>Text::Unidecode</code> module is now needed to better order browse views. | 
| − | * '''Perl Text::Unidecode module''' | + | * '''Perl <code>Text::Unidecode</code> module''' | 
| − | ** '''RPM:''' perl-Text-Unidecode | + | ** '''RPM:''' <code>perl-Text-Unidecode</code> | 
| − | ** '''DEB:''' libtext-unidecode-perl | + | ** '''DEB:''' <code>libtext-unidecode-perl</code> | 
| − | ** '''CPAN:''' Text::Unidecode | + | ** '''CPAN:''' <code>Text::Unidecode</code> | 
| − | |||
| − | |||
| − | |||
| − | |||
| − | Also see new dependencies for [[EPrints 3.4.1]] if you are upgrading from 3.4.0 or earlier. | + | Also see new dependencies for [[EPrints 3.4.1]] if you are upgrading from [[:Category:Eprints3.4|3.4.0]] or earlier. | 
| − | === Changes  | + | === Changes since 3.4.1 === | 
| ==== New Functionality ==== | ==== New Functionality ==== | ||
| * Capability for enabling caching of citations to improve page load times, particularly browse views. | * Capability for enabling caching of citations to improve page load times, particularly browse views. | ||
| − | * Provides HTTP PATCH  | + | * Provides HTTP PATCH functionality to support incremental metadata changes. (Particularly useful for Symplectic Repository Tools 2 integration). | 
| + | * Provides facility to define [[custom handlers|custom handlers]] for integration with third party applications. | ||
| * New DOI import plugin using UNIXREF that provides a richer source of metadata. | * New DOI import plugin using UNIXREF that provides a richer source of metadata. | ||
| − | * Allows access records to be saved and processed from disk rather than a database table (requires manual enabling). | + | * Allows access records to be saved and processed from disk rather than a database table (requires manual enabling / still experimental). | 
| * Supports embedded HTML5 video blocks including subtitles. | * Supports embedded HTML5 video blocks including subtitles. | ||
| * New MetaField for case insensitive IDs, useful for usernames and email addresses. | * New MetaField for case insensitive IDs, useful for usernames and email addresses. | ||
| − | * New MetaField for keywords. Backwards  | + | * New MetaField for keywords. Backwards compatible with text and longtext fields but more accurate at matching individual potentially multiple word keywords. | 
| + | * New MetaField that provides word count addition to long text fields (requires [https://jquery.com/download/ jQuery] to be installed in archive's <code>javascript/auto/</code> directory). | ||
| + | * Allow certain countries not to have to provide a successful Recaptcha for requests (e.g. in China ReCAPTCHA is blocked). | ||
| + | * Render function to allow publications with long creators/editors listed to neatly truncated. | ||
| + | * Script for generating XML sitemaps for use with tools like Google Search Console | ||
| ==== Security Improvements ==== | ==== Security Improvements ==== | ||
| * Prevention of offsite redirects after login. | * Prevention of offsite redirects after login. | ||
| − | *  | + | * Logs out all sessions on password change. | 
| − | * Rate  | + | * Rate limits number of password reset emails that can be sent. | 
| − | *  | + | * Ensures document full texts are reindexed to add or remove depending on changes to document security. | 
| − | *  | + | * Blocks JavaScript in uploaded HTML documents from potentially performing malicious actions as the logged in user. | 
| + | * Restricts get_tables call for database to those in the current repository. | ||
| + | * Evaluates user-defined <code>can_request_view_document</code> to ensure errors to not lead to unauthorised access to documents and adds notifications for system administrators in webserver logs and epadmin test. (Mainly to handle Apache 2.4 causing error when calling <code>$r->connection->remote_ip</code>). | ||
| ==== General Improvements ==== | ==== General Improvements ==== | ||
| − | * [http://accessibility.eprints-hosting.org/ | + | * Improves [http://accessibility.eprints-hosting.org/accessibility/roadmap.html accessibility] of EPrints user interfaces. | 
| * Allows subject line of RequestCopy emails to be customised by the user (in case item being requested has no title set). | * Allows subject line of RequestCopy emails to be customised by the user (in case item being requested has no title set). | ||
| * Better parsing of BibTeX for import. | * Better parsing of BibTeX for import. | ||
| * Better error and warning colours for command lines tools. | * Better error and warning colours for command lines tools. | ||
| * Better formatting of person name strings. | * Better formatting of person name strings. | ||
| − | *  | + | * Allows server-wide specification of EPrints flavour (rather than just archive level). | 
| * New functions for ordering various types of MetaField or for sanitising ordering.  Ensuring (person) names are consistently ordered. | * New functions for ordering various types of MetaField or for sanitising ordering.  Ensuring (person) names are consistently ordered. | ||
| − | *  | + | * Enables multi-lingual support for templates, tooltips and workflow headings. | 
| − | *  | + | * Removes any remaining use of full URLs within default template and static pages that can cause a multitude of issues including http/https interoperability. | 
| * Comprehensive review and addition of missing phrases. | * Comprehensive review and addition of missing phrases. | ||
| − | *  | + | * Allows <tt>epadmin create</tt> to allow an organisation name to be set as a phrase. | 
| * Improves compound multiple field table rendering to not display lots of UNSPECIFIED if a column has no row with a value set. | * Improves compound multiple field table rendering to not display lots of UNSPECIFIED if a column has no row with a value set. | ||
| * Better support for read-only MetaFields. | * Better support for read-only MetaFields. | ||
| Line 51: | Line 57: | ||
| * Provides checking for individual user roles within a workflow. | * Provides checking for individual user roles within a workflow. | ||
| * Allows data objects other the EPrint to have revision histories.   | * Allows data objects other the EPrint to have revision histories.   | ||
| − | *  | + | * Improves Xapian indexing checking. | 
| * Additions to index tokenizer mappings. | * Additions to index tokenizer mappings. | ||
| − | * Removes Text::Unidecode Perl module as this is better provided by Linux package repositories. | + | * Removes <code>Text::Unidecode</code> Perl module as this is better provided by Linux package repositories. | 
| − | *  | + | * Allows user-defined sort functions for browse views. | 
| * Adds user-definable get_item method for ItemRef MetaFields so fromform method can be used with this type of field. | * Adds user-definable get_item method for ItemRef MetaFields so fromform method can be used with this type of field. | ||
| + | * Adds user-definable render_item function for ItemRef MetaFields so ItemRef fields can be usefully rendered in browse views. | ||
| + | * Adds classes for option list HTML elements to make it easier to apply CSS styles. | ||
| + | * Adds HTTPS support for SWORD deposit client. | ||
| + | * Generally reduces the use of full URL (with protocol) when absolute/relative path would be more appropriate. | ||
| + | * Makes "Remove Item (with notification)" appear on actions bar when item is in live archive to make it consistent with "Remove Item". | ||
| ==== Bug fixes ==== | ==== Bug fixes ==== | ||
| Line 61: | Line 72: | ||
| * Fixes error that broke JavaScript for expanding dl tree elements. | * Fixes error that broke JavaScript for expanding dl tree elements. | ||
| * Fixes broken epm command line tool. | * Fixes broken epm command line tool. | ||
| − | * Fixes bug with feeds for latest_tool page | + | * Fixes bug with feeds for latest_tool page. | 
| * Fixes bug causing update_triples event queue tasks to fail. | * Fixes bug causing update_triples event queue tasks to fail. | ||
| * Fixes bug with 404 error when attempting to access RequestCopy page. | * Fixes bug with 404 error when attempting to access RequestCopy page. | ||
| * Fixes some general encoding issues in export plugins. | * Fixes some general encoding issues in export plugins. | ||
| − | * Fixes bug to again allow  | + | * Fixes bug to again allow <tt>epadmin test</tt> to be run without an archive specified. | 
| * Fixes bug with warning of missing brief citation for event queue. | * Fixes bug with warning of missing brief citation for event queue. | ||
| − | * Fixes issue with MySQL no longer allowing creation of a MySQL user on granting of  | + | * Fixes issue with MySQL no longer allowing creation of a MySQL user on granting of privileges. | 
| * Allow DOI to be Endnote exported for any publication type.   | * Allow DOI to be Endnote exported for any publication type.   | ||
| − | * Fixes bugs with HTTPS everywhere configuration breaking some URLs in OAI-PMH and  | + | * Fixes bugs with HTTPS everywhere configuration breaking some URLs in OAI-PMH and elsewhere. | 
| * Fixes substring out of bounds error when there is no icon URL for a document. | * Fixes substring out of bounds error when there is no icon URL for a document. | ||
| * Fixes hard-coding of entry UID for History iCal export. | * Fixes hard-coding of entry UID for History iCal export. | ||
| * Fixes lack of link for non-specified year items in year browse view menu. | * Fixes lack of link for non-specified year items in year browse view menu. | ||
| − | * Fixes  | + | * Fixes issue with use of <code>EPrints::Sword::Utils</code>. | 
| * Fixes check for whether a browse view is a list based on prefix of view's ID. | * Fixes check for whether a browse view is a list based on prefix of view's ID. | ||
| * Various fixes to image and video conversion through changes to convert and ffmpeg parameters. | * Various fixes to image and video conversion through changes to convert and ffmpeg parameters. | ||
| Line 79: | Line 90: | ||
| * Fixes issues access Bazaar behind a HTTP proxy. | * Fixes issues access Bazaar behind a HTTP proxy. | ||
| * Removes hard-coding of EPrints filesystem path where possible. | * Removes hard-coding of EPrints filesystem path where possible. | ||
| − | * Removes hard-coding of site_lib in EPrints include path and all other references. | + | * Removes hard-coding of <code>site_lib</code> in EPrints include path and all other references. | 
| − | * Removes TeX::Encode::BibTeX and TeX::Encode::charmap Perl sub-modules as these come as part of TeX::Encode that should already be installed as a dependency (since [[EPrints 3.4.1]]). | + | * Removes <code>TeX::Encode::BibTeX</code> and <code>TeX::Encode::charmap</code> Perl sub-modules as these come as part of <code>TeX::Encode</code> that should already be installed as a dependency (since [[EPrints 3.4.1]]). | 
| − | * Fixes case- | + | * Fixes case-sensitivity on document type guessing when file extension is in upper case. | 
| * Fixes fuzzy matching on browse view causing generate_views to generate more views than expected. | * Fixes fuzzy matching on browse view causing generate_views to generate more views than expected. | ||
| * Fixes typo for epm sources configuration option. | * Fixes typo for epm sources configuration option. | ||
| * Better parse pageranges that include page numbers with hyphens. | * Better parse pageranges that include page numbers with hyphens. | ||
| * Fixes typo in index tokenizer's apply_mapping function. | * Fixes typo in index tokenizer's apply_mapping function. | ||
| − | * Fixes issues  | + | * Fixes issues with Storage Manager when CSRF protection is enabled.  | 
| − | * Fixes "insecure connection" bug when exporting from Actions tab. | + | * Fixes broken add and edit phrase functionality when CSRF protection is enabled. | 
| − | * Adds most basic default workflow for files to fix viewing of files through Manage records. | + | * Fixes "insecure connection" bug when exporting from "Actions" tab. | 
| + | * Adds most basic default workflow for files to fix viewing of files through "Manage records". | ||
| + | * Tidies up <code>robots.txt</code> generation. | ||
| + | * Fixes broken documentation link on newly created repository homepages. | ||
| + | * Removes missing browse views menu links on zero template. | ||
| + | * Fixes OpenDOAR policy tools link. | ||
| − | [[Category: | + | == Known Vulnerabilities == | 
| + | The following vulnerabilities are patched with the security patch available at https://files.eprints.org/2548: | ||
| + | ; /cgi/ajax/phrase : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26703 CVE-2021-26703] (Remote Code Execution) | ||
| + | ; /cgi/cal : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26475 CVE-2021-26475] (Cross-Site Scripting) and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26476 CVE-2021-26476] (Remote Code Execution) | ||
| + | ; /cgi/dataset_dictionary : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26702 CVE-2021-26702] (Cross-Site Scripting) | ||
| + | ; /cgi/latex2png : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3342 CVE-2021-3342] (Remote Code Execution) | ||
| + | ; /cgi/toolbox/toolbox : [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26704 CVE-2021-26704] (Remote Code Execution) | ||
| + | This patch file also modifies <b>/cgi/history_search</b> to ensure it was not susceptible to MySQL Injection and Cross-Site Scripting.  However, no exploit for this potential vulnerability was found. | ||
| + | |||
| + | == Known Issues == | ||
| + | * Search results from admin menu's "Search users" formatting is somewhat broken due to generic changes made to improve [http://accessibility.eprints-hosting.org/accessibility/roadmap.html accessibility]. [https://github.com/eprints/eprints3.4/commit/a0078fa00e1259f07327ebf2ddf1cafdfe4e3ea7 This patch] fixes this issue. | ||
| + | * If your repository has a local version of <code>citations/eprint/result.xml</code> this will cause issues when rendering search results for admin's "Search items" and probably also "Advanced search".  Ensure <code><tr></code> and <code><td></code> tags are replaced with <code><nowiki><div></nowiki></code> tags. Style attributes can also be removed from these elements as they should now be part of the <code>lib/static/style/auto/search.css</code>.  If your archive has its own <code>search.css</code> you may need to copy some content from the <code>lib</code> version of <code>search.css</code> as it relates to ''ep_search_result''. | ||
| + | * As issues are not public-facing EPrint issue citation was not updated with the public-facing [http://accessibility.eprints-hosting.org/accessibility/roadmap.html accessibility] changes but issue results will render differently unless this is updated to use <code><nowiki><div></nowiki></code> tags rather than <code><tr></code> and <code><td></code> tags. [https://github.com/eprints/eprints3.4/commit/c53677f4f130e303a8cf8513b7c885d62386bec6 This patch] fixes the issue. | ||
| + | * Trying to "Save and Return" on a non-multiple compound field causes an internal server error.  [https://github.com/eprints/eprints3.4/pull/84/commits/23cf710a96ac07a44702e4b181b47ec29302e336 This patch] fixes the issue. | ||
| + | * BibTeX import when uploading from a file (not pasted data) fails.  [https://github.com/eprints/eprints3.4/commit/001079ce4fafc8d63af925efc639c7a62296c453 This patch] fixes the issue. | ||
| + | |||
| + | == Planned Development == | ||
| + | See [[EPrints 3.4.3]]. | ||
| + | |||
| + | [[Category:Eprints3.4]] | ||
| + | [[Category:Releases]] | ||
Latest revision as of 21:50, 18 July 2021
Release Notes
3.4 | 3.4.1 | 3.4.2 | 3.4.3 | 3.4.4 | 3.4.5 | 3.4.6 | 3.4.7
3.3 | 3.3.5 | 3.3.6 | 3.3.7 | 3.3.8 | 3.3.9 | 3.3.10 | 3.3.11 | 3.3.13 | 3.3.14 | 3.3.15 | 3.3.16
3.2.0 | 3.2.1 | 3.2.2 | 3.2.3 | 3.2.4 | 3.2.5 | 3.2.6 | 3.2.7 | 3.2.8 | 3.2.9
Contents
Release Notes
EPrints 3.4.2 is now available from files.eprints.org and GitHub.
- Zero codename: Blueberry Muffin Derecho
- Publication flavour codename: Pecan Pie Huaico (1.2)
New Dependencies
Dependencies can be installed as RPMs (yum install PACKAGE), DEBs (apt-get install PACKAGE) or CPAN (cpan MODULE).  Perl's Text::Unidecode module is now needed to better order browse views.
- Perl Text::Unidecodemodule- RPM: perl-Text-Unidecode
- DEB: libtext-unidecode-perl
- CPAN: Text::Unidecode
 
- RPM: 
Also see new dependencies for EPrints 3.4.1 if you are upgrading from 3.4.0 or earlier.
Changes since 3.4.1
New Functionality
- Capability for enabling caching of citations to improve page load times, particularly browse views.
- Provides HTTP PATCH functionality to support incremental metadata changes. (Particularly useful for Symplectic Repository Tools 2 integration).
- Provides facility to define custom handlers for integration with third party applications.
- New DOI import plugin using UNIXREF that provides a richer source of metadata.
- Allows access records to be saved and processed from disk rather than a database table (requires manual enabling / still experimental).
- Supports embedded HTML5 video blocks including subtitles.
- New MetaField for case insensitive IDs, useful for usernames and email addresses.
- New MetaField for keywords. Backwards compatible with text and longtext fields but more accurate at matching individual potentially multiple word keywords.
- New MetaField that provides word count addition to long text fields (requires jQuery to be installed in archive's javascript/auto/directory).
- Allow certain countries not to have to provide a successful Recaptcha for requests (e.g. in China ReCAPTCHA is blocked).
- Render function to allow publications with long creators/editors listed to neatly truncated.
- Script for generating XML sitemaps for use with tools like Google Search Console
Security Improvements
- Prevention of offsite redirects after login.
- Logs out all sessions on password change.
- Rate limits number of password reset emails that can be sent.
- Ensures document full texts are reindexed to add or remove depending on changes to document security.
- Blocks JavaScript in uploaded HTML documents from potentially performing malicious actions as the logged in user.
- Restricts get_tables call for database to those in the current repository.
- Evaluates user-defined can_request_view_documentto ensure errors to not lead to unauthorised access to documents and adds notifications for system administrators in webserver logs and epadmin test. (Mainly to handle Apache 2.4 causing error when calling$r->connection->remote_ip).
General Improvements
- Improves accessibility of EPrints user interfaces.
- Allows subject line of RequestCopy emails to be customised by the user (in case item being requested has no title set).
- Better parsing of BibTeX for import.
- Better error and warning colours for command lines tools.
- Better formatting of person name strings.
- Allows server-wide specification of EPrints flavour (rather than just archive level).
- New functions for ordering various types of MetaField or for sanitising ordering. Ensuring (person) names are consistently ordered.
- Enables multi-lingual support for templates, tooltips and workflow headings.
- Removes any remaining use of full URLs within default template and static pages that can cause a multitude of issues including http/https interoperability.
- Comprehensive review and addition of missing phrases.
- Allows epadmin create to allow an organisation name to be set as a phrase.
- Improves compound multiple field table rendering to not display lots of UNSPECIFIED if a column has no row with a value set.
- Better support for read-only MetaFields.
- Provides EPrints Script test for whether one string contains another.
- Provides checking for individual user roles within a workflow.
- Allows data objects other the EPrint to have revision histories.
- Improves Xapian indexing checking.
- Additions to index tokenizer mappings.
- Removes Text::UnidecodePerl module as this is better provided by Linux package repositories.
- Allows user-defined sort functions for browse views.
- Adds user-definable get_item method for ItemRef MetaFields so fromform method can be used with this type of field.
- Adds user-definable render_item function for ItemRef MetaFields so ItemRef fields can be usefully rendered in browse views.
- Adds classes for option list HTML elements to make it easier to apply CSS styles.
- Adds HTTPS support for SWORD deposit client.
- Generally reduces the use of full URL (with protocol) when absolute/relative path would be more appropriate.
- Makes "Remove Item (with notification)" appear on actions bar when item is in live archive to make it consistent with "Remove Item".
Bug fixes
- Fixes typo effecting position of Review page's move to archive button.
- Fixes error that broke JavaScript for expanding dl tree elements.
- Fixes broken epm command line tool.
- Fixes bug with feeds for latest_tool page.
- Fixes bug causing update_triples event queue tasks to fail.
- Fixes bug with 404 error when attempting to access RequestCopy page.
- Fixes some general encoding issues in export plugins.
- Fixes bug to again allow epadmin test to be run without an archive specified.
- Fixes bug with warning of missing brief citation for event queue.
- Fixes issue with MySQL no longer allowing creation of a MySQL user on granting of privileges.
- Allow DOI to be Endnote exported for any publication type.
- Fixes bugs with HTTPS everywhere configuration breaking some URLs in OAI-PMH and elsewhere.
- Fixes substring out of bounds error when there is no icon URL for a document.
- Fixes hard-coding of entry UID for History iCal export.
- Fixes lack of link for non-specified year items in year browse view menu.
- Fixes issue with use of EPrints::Sword::Utils.
- Fixes check for whether a browse view is a list based on prefix of view's ID.
- Various fixes to image and video conversion through changes to convert and ffmpeg parameters.
- Fixes duplicate event queue tasks being created by resetting to waiting instead.
- Fixes issues access Bazaar behind a HTTP proxy.
- Removes hard-coding of EPrints filesystem path where possible.
- Removes hard-coding of site_libin EPrints include path and all other references.
- Removes TeX::Encode::BibTeXandTeX::Encode::charmapPerl sub-modules as these come as part ofTeX::Encodethat should already be installed as a dependency (since EPrints 3.4.1).
- Fixes case-sensitivity on document type guessing when file extension is in upper case.
- Fixes fuzzy matching on browse view causing generate_views to generate more views than expected.
- Fixes typo for epm sources configuration option.
- Better parse pageranges that include page numbers with hyphens.
- Fixes typo in index tokenizer's apply_mapping function.
- Fixes issues with Storage Manager when CSRF protection is enabled.
- Fixes broken add and edit phrase functionality when CSRF protection is enabled.
- Fixes "insecure connection" bug when exporting from "Actions" tab.
- Adds most basic default workflow for files to fix viewing of files through "Manage records".
- Tidies up robots.txtgeneration.
- Fixes broken documentation link on newly created repository homepages.
- Removes missing browse views menu links on zero template.
- Fixes OpenDOAR policy tools link.
Known Vulnerabilities
The following vulnerabilities are patched with the security patch available at https://files.eprints.org/2548:
- /cgi/ajax/phrase
- CVE-2021-26703 (Remote Code Execution)
- /cgi/cal
- CVE-2021-26475 (Cross-Site Scripting) and CVE-2021-26476 (Remote Code Execution)
- /cgi/dataset_dictionary
- CVE-2021-26702 (Cross-Site Scripting)
- /cgi/latex2png
- CVE-2021-3342 (Remote Code Execution)
- /cgi/toolbox/toolbox
- CVE-2021-26704 (Remote Code Execution)
This patch file also modifies /cgi/history_search to ensure it was not susceptible to MySQL Injection and Cross-Site Scripting. However, no exploit for this potential vulnerability was found.
Known Issues
- Search results from admin menu's "Search users" formatting is somewhat broken due to generic changes made to improve accessibility. This patch fixes this issue.
- If your repository has a local version of citations/eprint/result.xmlthis will cause issues when rendering search results for admin's "Search items" and probably also "Advanced search". Ensureandtags are replaced with<div>tags. Style attributes can also be removed from these elements as they should now be part of thelib/static/style/auto/search.css. If your archive has its ownsearch.cssyou may need to copy some content from thelibversion ofsearch.cssas it relates to ep_search_result.
- As issues are not public-facing EPrint issue citation was not updated with the public-facing accessibility changes but issue results will render differently unless this is updated to use <div>tags rather than<tr>and<td>tags. This patch fixes the issue.
- Trying to "Save and Return" on a non-multiple compound field causes an internal server error. This patch fixes the issue.
- BibTeX import when uploading from a file (not pasted data) fails. This patch fixes the issue.
Planned Development
See EPrints 3.4.3.
