From 4da64ceb23e69da3953f9c454ea261d9d0621e25 Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Sun, 31 Oct 2021 11:31:53 +0100 Subject: [PATCH] Update to version 0.6.14 --- SECURITY.md | 24 ++ cps/constants.py | 2 +- optional-requirements.txt | 2 +- setup.cfg | 3 +- test/Calibre-Web TestSummary_Linux.html | 303 +++++++++--------------- 5 files changed, 145 insertions(+), 189 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 2f36fac8..dc763184 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,3 +3,27 @@ ## Reporting a Vulnerability Please report security issues to ozzie.fernandez.isaacs@googlemail.com + +## Supported Versions + +To receive fixes for security vulnerabilities it is required to always upgrade to the latest version of Calibre-Web. See https://github.com/janeczku/calibre-web/releases/latest for the latest release. + +## History + +| Fixed in | Description |CVE number | +| ---------- |---------|---------| +| 3rd July 2018 | Guest access acts as a backdoor|| +| V 0.6.7 |Hardcoded secret key for sessions |CVE-2020-12627 | +| V 0.6.13|Calibre-Web Metadata cross site scripting |CVE-2021-25964| +| V 0.6.13|Name of Shelves are only visible to users who can access the corresponding shelf Thanks to @ibarrionuevo|| +| V 0.6.13|JavaScript could get executed in the description field. Thanks to @ranjit-git || +| V 0.6.13|JavaScript could get executed in a custom column of type "comment" field || +| V 0.6.13|JavaScript could get executed after converting a book to another format with a title containing javascript code|| +| V 0.6.13|JavaScript could get executed after converting a book to another format with a username containing javascript code|| +| V 0.6.13|JavaScript could get executed in the description series, categories or publishers title|| +| V 0.6.13|JavaScript could get executed in the shelf title|| +| V 0.6.13|Login with the old session cookie after logout. Thanks to @ibarrionuevo|| +| V 0.6.14|CSRF was possible. Thanks to @mik317 || +| V 0.6.14|Cross-Site Scripting vulnerability on typeahead inputs. Thanks to @notdodo|| + + diff --git a/cps/constants.py b/cps/constants.py index 367bc29d..012d0d39 100644 --- a/cps/constants.py +++ b/cps/constants.py @@ -151,7 +151,7 @@ def selected_roles(dictionary): BookMeta = namedtuple('BookMeta', 'file_path, extension, title, author, cover, description, tags, series, ' 'series_id, languages, publisher') -STABLE_VERSION = {'version': '0.6.14 Beta'} +STABLE_VERSION = {'version': '0.6.14'} NIGHTLY_VERSION = {} NIGHTLY_VERSION[0] = '$Format:%H$' diff --git a/optional-requirements.txt b/optional-requirements.txt index af068a51..cfa2bfc3 100644 --- a/optional-requirements.txt +++ b/optional-requirements.txt @@ -1,5 +1,5 @@ # GDrive Integration -gevent>20.6.0,<21.2.0 +gevent>20.6.0,<22.0.0 greenlet>=0.4.17,<1.2.0 httplib2>=0.9.2,<0.20.0 oauth2client>=4.0.0,<4.1.4 diff --git a/setup.cfg b/setup.cfg index 58213f47..76f7e405 100644 --- a/setup.cfg +++ b/setup.cfg @@ -18,6 +18,7 @@ classifiers = Development Status :: 5 - Production/Stable License :: OSI Approved :: GNU Affero General Public License v3 Programming Language :: Python :: 3 + Programming Language :: Python :: 3.5 Programming Language :: Python :: 3.6 Programming Language :: Python :: 3.7 Programming Language :: Python :: 3.8 @@ -56,7 +57,7 @@ install_requires = [options.extras_require] gdrive = google-api-python-client>=1.7.11,<2.1.0 - gevent>20.6.0,<21.2.0 + gevent>20.6.0,<22.0.0 greenlet>=0.4.17,<1.2.0 httplib2>=0.9.2,<0.20.0 oauth2client>=4.0.0,<4.1.4 diff --git a/test/Calibre-Web TestSummary_Linux.html b/test/Calibre-Web TestSummary_Linux.html index 7cdaa5a0..1733a51a 100644 --- a/test/Calibre-Web TestSummary_Linux.html +++ b/test/Calibre-Web TestSummary_Linux.html @@ -37,20 +37,20 @@
-

Start Time: 2021-10-29 07:17:17

+

Start Time: 2021-10-30 19:49:15

-

Stop Time: 2021-10-29 10:46:29

+

Stop Time: 2021-10-30 23:31:02

-

Duration: 2h 49 min

+

Duration: 3h 2 min

@@ -378,13 +378,13 @@ - + TestDeleteDatabase 1 - 0 1 0 0 + 0 Detail @@ -392,32 +392,11 @@ - +
TestDeleteDatabase - test_delete_books_in_database
- -
- FAIL -
- - - - + PASS @@ -1240,15 +1219,15 @@ AssertionError: '' != 'No matching records found' - + TestEditBooksList - 10 - 9 - 1 + 18 + 18 + 0 0 0 - Detail + Detail @@ -1274,7 +1253,7 @@ AssertionError: '' != 'No matching records found' -
TestEditBooksList - test_bookslist_edit_languages
+
TestEditBooksList - test_bookslist_edit_comment
PASS @@ -1283,7 +1262,7 @@ AssertionError: '' != 'No matching records found' -
TestEditBooksList - test_bookslist_edit_publisher
+
TestEditBooksList - test_bookslist_edit_cust_category
PASS @@ -1292,7 +1271,7 @@ AssertionError: '' != 'No matching records found' -
TestEditBooksList - test_bookslist_edit_series
+
TestEditBooksList - test_bookslist_edit_cust_comment
PASS @@ -1301,7 +1280,7 @@ AssertionError: '' != 'No matching records found' -
TestEditBooksList - test_bookslist_edit_seriesindex
+
TestEditBooksList - test_bookslist_edit_cust_enum
PASS @@ -1309,6 +1288,78 @@ AssertionError: '' != 'No matching records found' + +
TestEditBooksList - test_bookslist_edit_cust_float
+ + PASS + + + + + + +
TestEditBooksList - test_bookslist_edit_cust_int
+ + PASS + + + + + + +
TestEditBooksList - test_bookslist_edit_cust_ratings
+ + PASS + + + + + + +
TestEditBooksList - test_bookslist_edit_cust_text
+ + PASS + + + + + + +
TestEditBooksList - test_bookslist_edit_languages
+ + PASS + + + + + + +
TestEditBooksList - test_bookslist_edit_publisher
+ + PASS + + + + + + +
TestEditBooksList - test_bookslist_edit_series
+ + PASS + + + + + + +
TestEditBooksList - test_bookslist_edit_seriesindex
+ + PASS + + + + +
TestEditBooksList - test_bookslist_edit_title
@@ -1317,36 +1368,16 @@ AssertionError: '' != 'No matching records found' - +
TestEditBooksList - test_list_visibility
- -
- FAIL -
- - - - + PASS - +
TestEditBooksList - test_restricted_rights
@@ -1355,7 +1386,7 @@ AssertionError: 9 != 17 - +
TestEditBooksList - test_search_books_list
@@ -1365,11 +1396,11 @@ AssertionError: 9 != 17 - + TestEditBooksOnGdrive 20 - 19 - 1 + 20 + 0 0 0 @@ -1550,31 +1581,11 @@ AssertionError: 9 != 17 - +
TestEditBooksOnGdrive - test_watch_metadata
- -
- FAIL -
- - - - + PASS @@ -1943,12 +1954,12 @@ AssertionError: 'series' unexpectedly found in {'id': 5, 're - + TestKoboSyncBig 4 - 1 - 1 - 2 + 4 + 0 + 0 0 Detail @@ -1957,60 +1968,20 @@ AssertionError: 'series' unexpectedly found in {'id': 5, 're - +
TestKoboSyncBig - test_kobo_sync_selected_shelfs
- -
- ERROR -
- - - - + PASS - +
TestKoboSyncBig - test_sync_changed_book
- -
- ERROR -
- - - - + PASS @@ -2024,31 +1995,11 @@ IndexError: list index out of range - +
TestKoboSyncBig - test_sync_shelf
- -
- FAIL -
- - - - + PASS @@ -2950,11 +2901,11 @@ AssertionError: 1 != 0 - + TestShelf 13 - 11 - 1 + 12 + 0 0 1 @@ -2973,31 +2924,11 @@ AssertionError: 1 != 0 - +
TestShelf - test_adv_search_shelf
- -
- FAIL -
- - - - + PASS @@ -4151,10 +4082,10 @@ AssertionError: 0 != 5 Total - 358 - 345 - 5 - 2 + 366 + 360 + 0 + 0 6   @@ -4561,7 +4492,7 @@ AssertionError: 0 != 5