diff options
Diffstat (limited to 'docs/_posts/2015-07-10-v1.5.5.md')
| -rw-r--r-- | docs/_posts/2015-07-10-v1.5.5.md | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/docs/_posts/2015-07-10-v1.5.5.md b/docs/_posts/2015-07-10-v1.5.5.md new file mode 100644 index 000000000..b82c55738 --- /dev/null +++ b/docs/_posts/2015-07-10-v1.5.5.md @@ -0,0 +1,50 @@ +--- +layout: post +title: Version 1.6 +author: matthew +--- + +<div class="r" align="right"> +<a data-flickr-embed="true" href="https://www.flickr.com/photos/caffeina/2079673826/" title="security"><img src="https://farm3.staticflickr.com/2065/2079673826_c4edb07e4d.jpg" width="500" height="333" alt="security"></a><script async src="//embedr.flickr.com/assets/client-code.js" charset="utf-8"></script> +</div> + +We’ve released **version 1.6** of FixMyStreet (previously numbered 1.5.5). + +This release includes important security fixes: + +* A vulnerability in login email sending that could allow an account to + be hijacked by a third party; +* Alterations to token logging in and timeout behaviour; +* A dependency update to fix an issue with Unicode characters in passwords. + +More details on those items below. Other items in this release include a +Chinese translation, a bug fix with shrunken update photos, and some front end +improvements, such as a ‘hamburger’ menu icon and an easier Report button on +mobile, and resized map pins based on zoom level. + +See the full list of changes +[over on GitHub](https://github.com/mysociety/fixmystreet/releases). + +Security fixes +-------------- + +**Login email account hijacking:** +Due to the way parameters were passed into the token table in the database, it +was possible for someone to request a login email for one email address, but +have the login email sent to different address. This would allow a third party +to log in as someone else, letting them make reports or updates as that person. + +The code has been rewritten so all user parameter passing goes through central +functions that return only one parameter even if the user has passed multiple +parameters. [More details of this class of vulnerability](http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/). + +**Email authentication tokens:** +Problem confirmation tokens had to be used within a month; this now applies to +all confirmation tokens, and email sign in tokens are valid for a day. Using +those tokens after confirmation will redirect correctly, but no longer log you +in; links in alert emails will no longer log you in. + +**Unicode characters in passwords:** +The package our code uses to encode database columns, +DBIx::Class::EncodedColumn, could have issues with Unicode characters provided +to it. This was fixed by upgrading the version we use. |