Difference between revisions of "EPrints 3.4.3"

From EPrints Documentation
Jump to: navigation, search
(Adds changes up to 22nd February 2021)
(One intermediate revision by the same user not shown)
Line 29: Line 29:
 
* Rate limits failed local login attempts for a particular user.  Defaults to 10 failed login attempts in 10 minutes (using <tt>$c->{max_login_attempts}</tt> and <tt>$c->{lockout_minutes}</tt> configuration options).
 
* Rate limits failed local login attempts for a particular user.  Defaults to 10 failed login attempts in 10 minutes (using <tt>$c->{max_login_attempts}</tt> and <tt>$c->{lockout_minutes}</tt> configuration options).
 
* Rate limits new account requests.  Defaults to 100 requests in a hour long period to avoid causing problems with planned mass sign up events.  Configured using <tt>$c->{max_account_requests}</tt> and <tt>$c->{max_account_requests_minutes}</tt> options.
 
* Rate limits new account requests.  Defaults to 100 requests in a hour long period to avoid causing problems with planned mass sign up events.  Configured using <tt>$c->{max_account_requests}</tt> and <tt>$c->{max_account_requests_minutes}</tt> options.
 +
* Limits the maximum length of a password (default 200 characters) to prevent specific Denial-of-Service attacks.
 +
* Modifies <code>latex</code> invocation to make more secure an ensure it rights to the correct output directory.
 +
* Removes legacy <code>/cgi/latex2png</code> script to prevent Remote Code Execution (RCE) from [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3342 CVE-2021-3342].
 +
* Validates parameters passed to <code>/cgi/cal</code> script to protect against RCE and Cross Site Scripting (XSS) from [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26475 CVE-2021-26475] and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26476 CVE-2021-26476].
 +
* Validates <code>dataset</code> parameter passed to <code>/cgi/dataset_dictionary</code> to protect against XSS from [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26702 CVE-2021-26702].
 +
* Validates parameters passed to <code>/cgi/history_search</code> to protect against the possibility of XSS and MySQL injection vulnerabilities, although none currently exploitable.
 +
* Validates <code>verb</code> passed to <code>/cgi/toolbox/toolbox</code> to protect against RCE from [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26704 CVE-2021-26704].
 +
* Allows <code>EPrints::XML::parse_string</code> to temporarily modify parser configuration to disable expanding of XML entities by the <code>/cgi/ajax/phrase</code> script to protect against [https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26703 2021-26703].
 +
* Ensure <code>eprints_lang</code> cookie explicitly sets <code>SameSite</code> attribute to <code>Lax</code> if HTTPS is not enabled or sets <code>secure</code> attribute to <code>1</code> if it is.
  
  
 
==== General Improvements ====
 
==== General Improvements ====
 
* Resolves all accessibility errors and most alerts (as reported by the [https://wave.webaim.org/ WAVE Web Accessibility Evaluation Tool]) for backend admin pages as listed in the [https://accessibility.eprints-hosting.org/accessibility/report.html Accessibility report].
 
* Resolves all accessibility errors and most alerts (as reported by the [https://wave.webaim.org/ WAVE Web Accessibility Evaluation Tool]) for backend admin pages as listed in the [https://accessibility.eprints-hosting.org/accessibility/report.html Accessibility report].
 +
* Appropriately uses protocol-relative, preferred (i.e. https where available) or absolute path URLs instead of http URLs to avoid mixed content warnings and other similar issues.
 
* Uses HTML class for <tt>Longtext_counter</tt> counter line and provides CSS to by default make this red and bold if the <tt>maxwords</tt> limit is exceeded.
 
* Uses HTML class for <tt>Longtext_counter</tt> counter line and provides CSS to by default make this red and bold if the <tt>maxwords</tt> limit is exceeded.
 
* Allows full path or just subject name to be displayed for values set in subjects field by setting <tt>render_path</tt> attribute (true by default).
 
* Allows full path or just subject name to be displayed for values set in subjects field by setting <tt>render_path</tt> attribute (true by default).
 
* Allows time between password reset requests to be configured (to a number of hours) rather than hard-coded to 24 hours.  
 
* Allows time between password reset requests to be configured (to a number of hours) rather than hard-coded to 24 hours.  
* Adds <tt>pr_url</tt> configuration option as a protocol relative base URL (e.g. <tt>//eprints.example.org/</tt>) and uses this to better eliminate issues with mixed-protocol content warnings from browsers whilst ensuring embedded and exported content still retains the hostname in URLs (e.g. href, src, URI, etc.)
 
 
* Adds option to set status of EPrints that should be checked by <tt>check_xapian</tt> script.
 
* Adds option to set status of EPrints that should be checked by <tt>check_xapian</tt> script.
 
* Adds <tt>date_embargo_retained</tt> field to Documents to retain the embargo date after the embargo is lifted.
 
* Adds <tt>date_embargo_retained</tt> field to Documents to retain the embargo date after the embargo is lifted.
Line 44: Line 53:
 
* Allows files to be stored to disk with generic filenames (i.e. <code><fileid>.bin</code>) rather than the upload filename that can cause retrieval problem by setting the <code>$c->{generic_filenames}</code> configuration setting.
 
* Allows files to be stored to disk with generic filenames (i.e. <code><fileid>.bin</code>) rather than the upload filename that can cause retrieval problem by setting the <code>$c->{generic_filenames}</code> configuration setting.
 
* Adds code to <code>lib</code> and <code>pub_lib</code> versions of <code>security.pl</code> to deal with request a copy access issue if repository has coversheets plugin enabled.
 
* Adds code to <code>lib</code> and <code>pub_lib</code> versions of <code>security.pl</code> to deal with request a copy access issue if repository has coversheets plugin enabled.
 +
* Allows sub-fields to have help texts configured.
 +
* Generates log message for views that have reached their <code>max_items</code> limit.
 +
* Allows document fields displayed in an eprint's Details tab to be configured.
 +
* Adds data-context attributes to aid CSS styling of HTML div elements within search forms.
 +
* Improves scaling of of Lightbox popups on narrow screens.
 +
* Allows a pin to set the id or class attribute for a template HTML element to facilitate different CSS styling on different pages.
 +
* Prompts for organisation name when creating a new archive using <code>epadmin create</code>.
 +
* Allows classes to be assigned to parts (i.e. top, left, main, after, etc.) of abstract/summary pages to facilitate better CSS styling.
 +
* Allows search results forms to be configured to automatically reload on ordering change.
 +
* Allows classes for EPrints' user menu (i.e. by default <code>ep_tm_key_tools</code>) to be configured to better integrate with institutional branding.
 +
* Adds commented advice on fixing issues with PDF thumbnail generation using ImageMagick.
 +
* Tidies up citations by removing identical <code>flavours/pub_lib/</code> citations that appear in <code>lib/</code>.
 +
* Allows <code>max_files</code> that can be expanded from an uploaded zip file to be configured. (Previously hardcoded to 100 file limit).
 +
* Allows customisable overriding of type-mapping based on <code>ispublished</code> value for BiBTeX and RIS export. (I.e. not using <code>@unpublished</code> type if <code>ispublished</code> set to <code>unpub</code>).
  
  
Line 60: Line 83:
 
* Sets <code>SameSite</code> property to <code>None</code> for secure login and request copy cookies as Google Chrome is now quite strict about this.
 
* Sets <code>SameSite</code> property to <code>None</code> for secure login and request copy cookies as Google Chrome is now quite strict about this.
 
* Provides handling for XML parsing of revision files to show warning for particular revision in the hostory tab rather than an internal server error for the whole page.
 
* Provides handling for XML parsing of revision files to show warning for particular revision in the hostory tab rather than an internal server error for the whole page.
 +
* Allows use of same pin multiple times within a phrase.
 +
* Prevents undefined <code>$c->{aliases}</code> from causing <code>epadmin config_core</code> to fail.
 +
* Ensures saved searches indicate email notifications cannot be sent when the <code>Xapianv2</code> (in addition to <code>Xapian</code>) plugin has been used for the original search.
 +
* Adds missing <code>event_queue</code> phrases.
 +
* Fixes inappropriate mapping of <code>monograph_type</code> in BibTeX import.
 +
* Fixes erroneous post-login redirection when login required to access eprint summary/abstract pages and long URLs (e.g. /id/eprint/1234) enabled.
 +
* Ensures <code>readonly</code> attribute works for <code>MetaField::Set</code> in compound-multiple fields.
 +
* Adds missing <code>reason</code> phrase for <code>RejectWithEmail</code> screen plugin.
 +
  
 
[[Category:Eprints3.4]]
 
[[Category:Eprints3.4]]
 
[[Category:Planned Releases]]
 
[[Category:Planned Releases]]

Revision as of 21:43, 23 February 2021

This page contains information about the provisional EPrints v3.4.3 tag and release on GitHub scheduled for the end of December 2020.

Planned Features and Improvements

  • Improvements for Accessibility of backend administration pages.
  • Review of EPrints support for multiple different XML libraries.
  • Better Sanitisation of filenames for uploads.
  • Tools to fix and protection against generation of invalid XML revision files.

See 3.4.3 milestone on GitHub for more details.

Provisional Release Notes

New Dependencies

None as yet. Check earlier dependencies for EPrints 3.4.2 and before.


Changes Since 3.4.2

New Functionality

  • Provides function (EPrints::Utils::compare_version) for comparing EPrints software versions so plugins can choose to behave differently.
  • Adds jquery EPrints 3.4 ingredient to allow JQuery resources to be incorporated if required by non-core EPrints functionality. Ingredient added but commented out in flavours/pub_lib/inc.
  • Provides picker for date fields to reduce potential for human error.


Security and Privacy Improvements

  • Makes JSON export respect value set for export_as_xml to avoid exporting unintended fields.
  • Sets contact_email to not export by default for better GDPR compliance.
  • Rate limits failed local login attempts for a particular user. Defaults to 10 failed login attempts in 10 minutes (using $c->{max_login_attempts} and $c->{lockout_minutes} configuration options).
  • Rate limits new account requests. Defaults to 100 requests in a hour long period to avoid causing problems with planned mass sign up events. Configured using $c->{max_account_requests} and $c->{max_account_requests_minutes} options.
  • Limits the maximum length of a password (default 200 characters) to prevent specific Denial-of-Service attacks.
  • Modifies latex invocation to make more secure an ensure it rights to the correct output directory.
  • Removes legacy /cgi/latex2png script to prevent Remote Code Execution (RCE) from CVE-2021-3342.
  • Validates parameters passed to /cgi/cal script to protect against RCE and Cross Site Scripting (XSS) from CVE-2021-26475 and CVE-2021-26476.
  • Validates dataset parameter passed to /cgi/dataset_dictionary to protect against XSS from CVE-2021-26702.
  • Validates parameters passed to /cgi/history_search to protect against the possibility of XSS and MySQL injection vulnerabilities, although none currently exploitable.
  • Validates verb passed to /cgi/toolbox/toolbox to protect against RCE from CVE-2021-26704.
  • Allows EPrints::XML::parse_string to temporarily modify parser configuration to disable expanding of XML entities by the /cgi/ajax/phrase script to protect against 2021-26703.
  • Ensure eprints_lang cookie explicitly sets SameSite attribute to Lax if HTTPS is not enabled or sets secure attribute to 1 if it is.


General Improvements

  • Resolves all accessibility errors and most alerts (as reported by the WAVE Web Accessibility Evaluation Tool) for backend admin pages as listed in the Accessibility report.
  • Appropriately uses protocol-relative, preferred (i.e. https where available) or absolute path URLs instead of http URLs to avoid mixed content warnings and other similar issues.
  • Uses HTML class for Longtext_counter counter line and provides CSS to by default make this red and bold if the maxwords limit is exceeded.
  • Allows full path or just subject name to be displayed for values set in subjects field by setting render_path attribute (true by default).
  • Allows time between password reset requests to be configured (to a number of hours) rather than hard-coded to 24 hours.
  • Adds option to set status of EPrints that should be checked by check_xapian script.
  • Adds date_embargo_retained field to Documents to retain the embargo date after the embargo is lifted.
  • Adds deprecation warning to indicate only LibXML library will be supported in future versions of EPrints. (Version for removal yet to be confirmed).
  • Adds basic default citation for files.
  • Adds validation for date fields to prevent invalid dates being set.
  • Allows files to be stored to disk with generic filenames (i.e. <fileid>.bin) rather than the upload filename that can cause retrieval problem by setting the $c->{generic_filenames} configuration setting.
  • Adds code to lib and pub_lib versions of security.pl to deal with request a copy access issue if repository has coversheets plugin enabled.
  • Allows sub-fields to have help texts configured.
  • Generates log message for views that have reached their max_items limit.
  • Allows document fields displayed in an eprint's Details tab to be configured.
  • Adds data-context attributes to aid CSS styling of HTML div elements within search forms.
  • Improves scaling of of Lightbox popups on narrow screens.
  • Allows a pin to set the id or class attribute for a template HTML element to facilitate different CSS styling on different pages.
  • Prompts for organisation name when creating a new archive using epadmin create.
  • Allows classes to be assigned to parts (i.e. top, left, main, after, etc.) of abstract/summary pages to facilitate better CSS styling.
  • Allows search results forms to be configured to automatically reload on ordering change.
  • Allows classes for EPrints' user menu (i.e. by default ep_tm_key_tools) to be configured to better integrate with institutional branding.
  • Adds commented advice on fixing issues with PDF thumbnail generation using ImageMagick.
  • Tidies up citations by removing identical flavours/pub_lib/ citations that appear in lib/.
  • Allows max_files that can be expanded from an uploaded zip file to be configured. (Previously hardcoded to 100 file limit).
  • Allows customisable overriding of type-mapping based on ispublished value for BiBTeX and RIS export. (I.e. not using @unpublished type if ispublished set to unpub).


Bug Fixes

  • Prevents access code from changing if request a copy is approved multiple times (and warns if request has already been approved).
  • Fixes formatting of results from user search introduced by accessibility changes in 3.4.2.
  • Updates issue citation to use <div> rather than and tags so it works with accessibility changes introduced in 3.4.2.
  • Deals more gracefully if History DataObj's parent does not exist when checking if it is an EPrints::List.
  • Fixes internal server error when trying to save values to a non-multiple compound field.
  • Fixes issue with XML import setting unset compound subfields to NULL rather than empty string.
  • Fixes errors on import pages caused by Accessibility improvements and fixes other Accessibility issues for import pages.
  • Fixes broken link of default 401 error page.
  • Sets STDOUT and STDERR binmode to utf8 to avoid wide character errors.
  • Fixes user history layout as a result of earlier Accessibility improvements.
  • Fixes missing phrases reported in error logs. Typically fieldhelp phrases for sub-fields of compound fields, which are generally not rendered but still report missing phrase warnings.
  • Sets SameSite property to None for secure login and request copy cookies as Google Chrome is now quite strict about this.
  • Provides handling for XML parsing of revision files to show warning for particular revision in the hostory tab rather than an internal server error for the whole page.
  • Allows use of same pin multiple times within a phrase.
  • Prevents undefined $c->{aliases} from causing epadmin config_core to fail.
  • Ensures saved searches indicate email notifications cannot be sent when the Xapianv2 (in addition to Xapian) plugin has been used for the original search.
  • Adds missing event_queue phrases.
  • Fixes inappropriate mapping of monograph_type in BibTeX import.
  • Fixes erroneous post-login redirection when login required to access eprint summary/abstract pages and long URLs (e.g. /id/eprint/1234) enabled.
  • Ensures readonly attribute works for MetaField::Set in compound-multiple fields.
  • Adds missing reason phrase for RejectWithEmail screen plugin.