Beta Security Release v0.30.7
Dan Brown posted on the 18th of December 2020
In continuation of the patches in v0.30.6, BookStack v0.30.7 has been released to address an issue that could lead to restricted page content being made visible in exports. As with the last release, You should upgrade to this released as soon as possible if you make use of page-level permissions at all. Apologies for the frequency of security releases.
The content of pages made non-viewable to a user via permissions, within a visible parent, could be seen via the plaintext export option. Before v0.30.6 this would have applied only to scenarios where all pages within the chapter were made non-visible. In v0.30.6 this would make all pages within the chapter visible.
This has been patched in v0.30.7.
Please update. As a temporary workaround you could make parent chapters/books non accessible.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack Security Advice to contact someone privately.