Indico 2.3 released [v2.3.5 - ⚠ SECURITY UPDATE]

Announcements
1

We just released Indico 2.3; to get an overview about what’s new, check out blog post about the release.

For a detailed list of improvements, head over to the changelog .

When upgrading, make sure to take the additional steps into account which are recommended during the upgrade from 2.2 to 2.3! This is especially important if you are using OAuth for SSO

Version 2.3.x will be the last Indico versions to support Python 2.7; the next major release will be 3.0 which will require Python 3 - but more on that topic in the future.

4 Likes
3

We have released v2.3.1 which contains some bugfixes and improvements. It also contains a security fix, but thanks to the feature in question being broken, the security issue was not exploitable (see note below).

:warning: Security fixes

  • Fix potential data leakage between OAuth-authenticated and unauthenticated HTTP API requests for the same resource (#4663)
    Note: Due to OAuth access to the HTTP API having been broken until this version, we do not believe this was actually exploitable on any Indico instance. In addition, only Indico administrators can create OAuth applications, so regardless of the bug there is no risk for any instance which does not have OAuth applications with the read:legacy_api scope.

:tada: Improvements

  • Generate material packages in a background task to avoid timeouts or using excessive amounts of disk space in case of people submitting several times (#4630)
  • Add new EXPERIMENTAL_EDITING_SERVICE setting to enable extending an event’s Editing workflow through an OpenReferee server (#4659)

:bug: Bugfixes

  • Only show the warning about draft mode in a conference if it actually has any contributions or timetable entries
  • Do not show incorrect modification deadline in abstract management area if no such deadline has been set (#4650)
  • Fix layout problem when minutes contain overly large embedded images (#4653, #4654)
  • Prevent pending registrations from being marked as checked-in (#4646, thanks @OmeGak)
  • Fix OAuth access to HTTP API (#4663)
  • Fix ICS export of events with draft timetable and contribution detail level (#4666)
  • Fix paper revision submission field being displayed for judges/reviewers (#4667)
  • Fix managers not being able to submit paper revisions on behalf of the user (#4667)

:wrench: Internal Changes

  • Add registration_form_wtform_created signal and send form data in registration_created and registration_updated signals (#4642, thanks @OmeGak)
  • Add logged_in signal
4

We have released v2.3.2 which contains some bugfixes and improvements.

:tada: Improvements

  • Disable title field by default in new registration forms (#4688, #4692)
  • Add gender-neutral “Mx” title (#4688, #4692)
  • Add contributions placeholder for emails (#4716, thanks @bpedersen2)
  • Show program codes in contribution list (#4713)
  • Display the target URL of link materials if the user can access them (#2599, #4718)
  • Show the revision number for all revisions in the Editing timeline (#4708)

:bug: Bugfixes

  • Only consider actual speakers in the “has registered speakers” contribution list filter (#4712, thanks @bpedersen2)
  • Correctly filter events in “Sync with your calendar” links (this fix only applies to newly generated links) (#4717)
  • Correctly grant access to attachments inside public sessions/contribs even if the event is more restricted (#4721)
  • Fix missing filename pattern check when suggesting files from Paper Peer Reviewing to submit for Editing (#4715)
  • Fix filename pattern check in Editing when a filename contains dots (#4715)
  • Require explicit admin override (or being whitelisted) to override blockings (#4706)
  • Clone custom abstract/contribution fields when cloning abstract settings (#4724, thanks @bpedersen2)
  • Fix error when rescheduling a survey that already has submissions (#4730)
5

We have released v2.3.3 which contains a low-severity security fix, some bugfixes and improvements. It also added a new Ukrainian translation

:warning: Security fixes

  • JSON locale data for invalid locales is no longer cached on disk; instead a 404 error is triggered. This avoids creating small files in the cache folder for each invalid locale that is requested. (#4766)

:flags: Internationalization

  • New translation: Ukrainian :ukraine:

:tada: Improvements

  • Add a new “Until approved” option for a registration form’s “Modification allowed” setting (#4740, thanks @vasantvohra)
  • Show last login time in dashboard (#4735, thanks @vasantvohra)
  • Allow Markdown in the “Message for complete registrations” option of a registration form (#4741)
  • Improve video conference linking dropdown for contributions/sessions (hide unscheduled, show start time) (#4753)
  • Show timetable filter button in conferences with a meeting-like timetable

:bug: Bugfixes

  • Fix error when converting malformed HTML links to LaTeX
  • Hide inactive contribution/abstract fields in submit/edit forms (#4755)
  • Fix adding registrants to a session ACL

:wrench: Internal Changes

  • Videoconference plugins may now display a custom message for the prompt when deleting a videoconference room (#4733)
  • Videoconference plugins may now override the behavior when cloning an event with attached videoconference rooms (#4732)
7

We have released v2.3.4 which contains a medium-severity security fix, some bugfixes and improvements.

:warning: Security fixes

  • Fix some open redirects which could help making harmful URLs look more trustworthy by linking to Indico and having it redirect the user to a malicious site (#4814, #4815)
  • The BASE_URL is now always enforced and requests whose Host header does not match are rejected. This prevents malicious actors from tricking Indico into sending e.g. a password reset link to a user that points to a host controlled by the attacker instead of the actual Indico host (#4815)

Note: If the webserver is already configured to enforce a canonical host name and redirects or rejects such requests, this cannot be exploited. Additionally, exploiting this problem requires user interaction: they would need to click on a password reset link which they never requested, and which points to a domain that does not match the one where Indico is running.

:tada: Improvements

  • Fail more gracefully is a user has an invalid locale set and fall back to the default locale or English in case the default locale is invalid as well
  • Log an error if the configured default locale does not exist
  • Add ID-1 page size for badge printing (#4774, thanks @OmeGak)
  • Allow managers to specify a reason when rejecting registrants and add a new placeholder for the rejection reason when emailing registrants (#4769, thanks @vasantvohra)

:bug: Bugfixes

  • Fix the “Videoconference Rooms” page in conference events when there are any VC rooms attached but the corresponding plugin is no longer installed
  • Fix deleting events which have a videoconference room attached which has its VC plugin no longer installed
  • Do not auto-redirect to SSO when an MS office user agent is detected (#4720, #4731)
  • Allow Editing team to view editables of unpublished contributions (#4811, #4812)

:wrench: Internal Changes

  • Also trigger the ical-export metadata signal when exporting events for a whole category
  • Add primary_email_changed signal (#4802, thanks @openprojects)
9

We have released v2.3.5 which contains a low-severity security fix, some bugfixes and improvements. It also added new Polish and Mongolian translations.

Note: This is likely the last release of the 2.x series; unless any significant bug or security issue is discovered, the next release will most likely be 3.0.

:warning: Security fixes

  • Fix XSS vulnerabilities in the category picker (via category titles), location widget (via room and venue names defined by an Indico administrator) and the “Indico Weeks View” timetable theme (via contribution/break titles defined by an event organizer). As neither of these objects can be created by untrusted users (on a properly configured instance) we consider the severity of this vulnerability “minor” (#4897)

:flags: Internationalization

  • New translation: Polish :poland:
  • New translation: Mongolian :mongolia:

:tada: Improvements

  • Add an option to not disclose the names of editors and commenters to submitters in the Paper Editing module (#4829, #4865)

:bug: Bugfixes

  • Do not show soft-deleted long-lasting events in category calendar (#4824)
  • Do not show management-related links in editing hybrid view unless the user has access to them (#4830)
  • Fix error when assigning paper reviewer roles with notifications enabled and one of the reviewing types disabled (#4838)
  • Fix viewing timetable entries if you cannot access the event but a specific session inside it (#4857)
  • Fix viewing contributions if you cannot access the event but have explicit access to the contribution (#4860)
  • Hide registration menu item if you cannot access the event and registrations are not exempt from event access checks (#4860)
  • Fix inadvertently deleting a file uploaded during the “make changes” Editing action, resulting in the revision sometimes still referencing the file even though it has been deleted from storage (#4866)
  • Fix sorting abstracts by date (#4877)

:wrench: Internal Changes

  • Add before_notification_send signal (#4874, thanks @OmeGak)