Version 4.3.6

Announcements Releases
1

Released: February 19, 2023

Status: Stable

Changes

This version backports fixes from versions 4.4.3 and 4.4.4.

Authentication OTP

The interface of the library used for generating QRCodes changed and
broke the OTP QRCode generation. The image interface was updated, a new
test added, and the entire QRCode generation simplified to lower the
changes of future regressions.

Dependencies

The Python Transifex client was remove and replace with the new Go based
client. This client is OS dependent and needs to be installed manually
when working with translations (https://github.com/transifex/cli).

REST API

The validation errors in the document metadata API were incorrectly
causing HTTP 500 server errors. A custom REST API exception handler was
added to workaround inconsistent validation exception behavior in the
Django REST framework and ensure validation error raise a HTTP 400 error
instead.

Tags

The tag labels are now sanitized when generating the Select2 user
interface widget template. This closes the XSS weakness reported in
CVE-2022-47419: Mayan EDMS Tag XSS.

This is a limited scope weakness of the tagging system markup that can
be used to display an arbitrary text when selecting a tag for attachment
to or removal from a document.

It is not possible to circumvent Mayan EDMS access control system or
expose arbitrary information with this weakness.

Attempting to exploit this weakness requires a privileged account and is
not possible to enable from a guest or an anonymous account. Visitors to
a Mayan EDMS installation cannot exploit this weakness.

It is also being incorrectly reported that this weakness can be used to
steal the session cookie and impersonate users. Since version 1.4 (March
23, 2012) Django has included the httponly attribute for the session
cookie. This means that the session cookie data, including sessionid,
is no longer accessible from JavaScript.
https://docs.djangoproject.com/en/4.1/releases/1.4/

Mayan EDMS currently uses Django 3.2. Under this version of Django The
SESSION_COOKIE_HTTPONLY defaults to True, which enables the
httponly for the session cookie making it inaccessible to JavaScript
and therefore not available for impersonation via session hijacking.
https://docs.djangoproject.com/en/3.2/ref/settings/#session-cookie-httponly

Django’s SESSION_COOKIE_HTTPONLY setting is not currently exposed by
Mayan EDMS’ setting system, therefore it is not possible to disable
this protection by conventional means.

Any usage of this weakness remains logged in the event system making it
easy to track down any bad actors.

Due to all these factors, the surface of attack of this weakness is very
limited, if any.

There are no known actual or theoretical attacks exploiting this
weakness to expose or destroy data.

Other

  • Ensure migration 80 of the documents app completes even when
    documents files exceed the maximum field size.

Removals

  • Transifex Python client.

Backward incompatible changes

  • None

Deprecations

  • None

Issues closed

  • None