continuwuation/continuwuity
continuwuation/continuwuity
12
46
Fork 42
Code Issues 97 Pull requests 22 Releases 24 Packages 3 Activity Actions
24 releases 27 tags
  • v0.3.3 fe637f481d

    v0.3.3 Stable

    girlbossceo released this 2024-05-11 18:29:00 +00:00 | 2697 commits to main since this release

    conduwuit

    Release 0.3.3

    Hi everyone! conduwuit 0.3.3 has been released. This is a security-enhancement focused release along with lots of bug fixes and a new moderation feature.

    List of changes include:

    • Send a strong[1] Content-Security-Policy HTTP header for all conduwuit response headers if not already present
    • Send various other security-related HTTP headers such as X-Content-Type-Options: nosniff, X-XSS-Protection: 0[2], X-Frame-Options: DENY, Origin-Agent-Cluster: ?1[3], and Permissions-Policy: interest-cohort=(),browsing-topics=()
    • Perform additional sanitisation on the filename for the Content-Disposition (this was already being URL-safe encoded, but we perform our own ad-hoc sanitisation for improved security)
    • Return inline Content-Disposition based on our own detection of the file type, only return inline on user multi-media MIME types, and not trust the Content-Type header. Always fallback to attachment
    • Fix user /report's incorrectly saying you are not in the room
    • Fix non-functional unbans due to broken upstream code
    • Moderation feature to automatically deactivate the accounts of any users who attempt to join any malicious room based on your global ACLs, banned rooms, etc
    • Don't send the avatar_url or user display name on ban events as they may be potentially offensive
    • Forget all the rooms when leaving all rooms for a user upon account deactivation
    • Resolve various arithmetic and type casting correctness
    • Fix user presence statuses showing up as empty strings (noticeable in at least FluffyChat as empty white pills on users)
    • Fix incorrect appservice namespace alias check
    • Lots and lots of documentation revamps and improvements, also link to transfem.dev's rules document, and add a contributing guide
    • Fix using conduwuit on NixOS without flakes
    • Enable io_uring/liburing as a default feature for performance improvements
    • Bump all the dependencies, and bump the MSRV to 1.77.0

    [1]: sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self'; frame-ancesors 'none'; (Note this only affects the content being loaded, not what's loading the content. Images should not have permission to execute JavaScript or across same-origin content to attempt XSS)
    [2]: Vulnerabilities caused by XSS filtering
    [3]: This is a browser sandbox security feature by requesting your browser to render content in their own dedicated isolated process, apart of improved origin isolation

    The addition of these security headers such as the CSP are not only apart of Matrix spec as a recommendation, untrusted user-uploaded content should be heavily isolated and sandboxed from, and not allowed any permissions, as a general recommendation (e.g. XMPP's XEP-0363). This is in response to the previous high severity security release to not only retain the filename as apart of the Content-Disposition header for browsers, we can still provide the improved UX of allowing inline Content-Disposition for user multi-media (images, videos, audio, etc) and still make sure the user is as secure as possible from any XSS concerns or exploits via the various HTTP security headers.

    Commit history: https://github.com/girlbossceo/conduwuit/compare/v0.3.2...v0.3.3

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.3.2 cb70d51e2b

    v0.3.2 Stable

    girlbossceo released this 2024-05-05 20:52:51 +00:00 | 2756 commits to main since this release

    This is a security release.

    The Content-Disposition HTTP header has always been set to inline which causes untrusted content opened in browsers to be rendered, including HTML files, instead of downloading. This release forces them to all be attachment. This has no impact on Matrix clients.

    Users who use a restrictive Content-Security-Policy are not affected by any XSS concerns here.

    Downloads
  • v0.3.1 42e3567153

    v0.3.1 Stable

    girlbossceo released this 2024-05-03 06:18:24 +00:00 | 2760 commits to main since this release

    conduwuit

    Release 0.3.1

    Hi everyone! conduwuit 0.3.1 has been released. This is a minor maintenance follow-up to last week's release which was very well received by many new users. This week was mostly cleanup, improvements, and some bug fixes. Some of the changes include:

    • Add Complement testing support to CI.
    • Optimize RocksDB compaction to further reduce database file count.
    • Improve concurrency on single-core systems.
    • Fix presence status results from /presence/{userId}/status. (/sync results unaffected).
    • Nix flake fixes and improvements; cache dependencies in binary cache and improve build performance.
    • Workaround room creation requests with non-spec compliant initial_state bodies (source was an appservice).
    • Start uploading container images to GitLab Container Registry.
    • Bump all the dependencies everywhere (maintenance)
    • General code cleanups, minor optimisations, and maintenance refactors before we transition out of feature-freeze and prepare for the next major release.

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.3.0 341bafb91e

    v0.3.0 Stable

    girlbossceo released this 2024-04-26 06:03:40 +00:00 | 2853 commits to main since this release

    The "first" official stable tagged release of conduwuit!

    what is conduwuit?

    conduwuit is a well-maintained, featureful, hard-fork of Conduit with tons of new features, many bug fixes, huge performance improvements, quality of life enhancements, moderation tools, and much more. It's fully database compatible with upstream, no migration path is necessary. You can switch between the two with no issues. Check out the full list of differences and features here! https://conduwuit.puppyirl.gay/differences.html

    First ever TWIM post: https://matrix.org/blog/2024/04/26/this-week-in-matrix-2024-04-26/#conduwuit-website

    Downloads