Age | Commit message (Collapse) | Author |
|
- All users were able to request organizational details from any org,
even if they were not a member (anymore).
Now it will check if that user is a member of the org or not.
- The `/organization/<uuid>/keys` endpoint returned also the private keys.
This should not be the case. Also, according to the upstream server
code the endpoint changed, but the clients do not seem to use it.
I added it anyway just in case they will in the future.
- Also require a valid login before being able to retreve those org
keys. Upstream does not do this, but i see no reason why not.
Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39925
|
|
|
|
|
|
* Update crates, web-vault and fixes
- Updated crates
- Updated web-vault to v2024.6.2
This version is currently the latest version compatible with our API implementation.
For newer versions we need more code updates to make it compatible.
Thanks to @stefan0xC this version fixes #4628
- Added a small fix to prevent errors in the Vaultwarden and Client logs.
The v2024.6.2 web-vault calls an endpoint with invalid arguments.
If this happens we ignore the call and just return an Ok.
- Added the bulk-collection endpoint (Though not yet available in v2024.6.2)
Fixes #4628
* Prevent bulk remove collections to work
|
|
- fixes https://github.com/dani-garcia/vaultwarden/issues/4528
|
|
- needed to match Bitwarden, some of the feature flags might have uppercase characters (for example: ```PM-4154-bulk-encryption-service```)
|
|
* make access_all optional
* use #[serde(default)] instead of unwrapping
|
|
Currently there are no checks done during the actual upload of the file of a send item.
This PR adds several checks to make sure it only accepts the correct uploads.
|
|
- also update the European Union related information for a working setup
- fixes https://github.com/dani-garcia/vaultwarden/issues/4609
|
|
* add organizationID alias for native ios
* add reverse sanity check
|
|
|
|
|
|
- Update Rust to v1.80.0
- Updated GitHub Actions
- Updated crates
|
|
This PR adds a config option to allow the note size to increase to 100_000, instead of the default 10_000.
Since this might cause issues with the clients (in the future), and will cause issues with importing into a Bitwarden server, i added warnings regarding this.
Closes #3168
|
|
* Add initial working Duo Universal Prompt support.
* Add db schema and models for Duo 2FA state storage
* store duo states in the database and validate during authentication
* cleanup & comments
* bump state/nonce length
* replace stray use of TimeDelta
* more cleanup
* bind Duo oauth flow to device id, drop redundant device type handling
* drop redundant alphanum string generation code
* error handling cleanup
* directly use JWT_VALIDITY_SECS constant instead of copying it to DuoClient instances
* remove redundant explicit returns, rustfmt
* rearrange constants, update comments, error message
* override charset on duo state column to ascii for mysql
* Reduce twofactor_duo_ctx state/nonce column size in postgres and maria
* Add fixes suggested by clippy
* rustfmt
* Update to use the make_http_request
* Don't handle OrganizationDuo
* move Duo API endpoint fmt strings out of macros and into format! calls
* Add missing indentation
Co-authored-by: Daniel García <[email protected]>
* remove redundant expiry check when purging Duo contexts
---------
Co-authored-by: BlackDex <[email protected]>
Co-authored-by: Daniel García <[email protected]>
|
|
|
|
* allow re-invitations of existing users
* auto-accept existing user if mail is disabled
Apply suggestions from code review
Co-authored-by: Mathijs van Veluw <[email protected]>
---------
Co-authored-by: Mathijs van Veluw <[email protected]>
|
|
- they seem to have started appearing with buildx v0.16.0
- skip lint check for FromPlatformFlagConstDisallowed and RedundantTargetPlatform
|
|
- fixes GHSA-q445-7m23-qrmw by updating openssl to version 0.10.66
|
|
|
|
* Fix for RSA Keys which are read only
Sometimes an RSA Key file could be read only.
We currently failed because we also wanted to write.
Added an extra check if the file exists already and is not 0 in size.
If it does already exists and is larger then 0, then open in read only
mode.
Fixes #4644
* Updated code to work atomically
- Changed the code to work atomically
- Also show the alert generated from `Io`
* Fix spelling
|
|
- Updated datatables
- Set Cookie Secure flag if the connection is https
- Prevent possible XSS via Organization Name
Converted all `innerHTML` and `innerText` to the Safe Sink version `textContent`
- Removed `jsesc` function as handlebars escapes all these chars already and more by default
|
|
* Improved HTTP client
* Change config compat to use auto, rename blacklist
* Fix wrong doc references
|
|
|
|
|
|
* use a custom plan of enterprise tier to fix limits
* set maxStorageGb limit to max signed int value
|
|
- Add missing `Headers` parameter for some functions
This allowed any request from allowing these endpoints by not validating the user correctly.
- Changed the functions to retreive the emergency access record by
using the user uuid which calls the endpoint, instead of validating afterwards.
This is more secure and prevents the need of an if check.
|
|
- Updated the crates
Removed the patch for mimalloc
- Updated the web-vault to v2024.5.1b
The reason for not updating to v2024.6.x is that there are several items
not working correctly or need some more research.
|
|
- faster builds than with gzip (the default)
|
|
* add group support for Cipher::get_collections()
join group infos assigned to a collection to check
whether user has been given access to all collections via any group
or they have access to a specific collection via any group membership
* fix Collection::is_writable_by_user()
prevent side effects if groups are disabled
* differentiate the /collection endpoints
* return cipherDetails on post_collections_update()
* add collections_v2 endpoint
|
|
|
|
During import you are able to select an existing folder, or with
Bitwarden exports it can contain existing folders already. In either
case it didn't matter, we always created new folders.
Bitwarden uses the same UUID of the selected or existing folders if they
are already there.
This PR fixes this by using the same behaviour.
Fixes #4700
|
|
Collections were not visible in the organization view.
This was because the `flexibleCollections` was set to `true`
Found an issue with loading some old created Secure Notes which had `{}` or `{"type":null}` as there `data` value.
This isn't allowed. When detected, replace it with `{"type":0}`
Fixes #4682
Fixes #4590
|
|
|
|
- libatomic linking for armv6 has been fixed in https://github.com/purpleprotocol/mimalloc_rust/commit/992c9da4c5afba7fbf4c5815c43c8f0fbd2a8da6
|
|
|
|
* Change API inputs/outputs and structs to camelCase
* Fix fields and password history
* Use convert_json_key_lcase_first
* Make sends lowercase
* Update admin and templates
* Update org revoke
* Fix sends expecting size to be a string on mobile
* Convert two-factor providers to string
|
|
default (#4661)
|
|
|
|
- Updated all crates including Diesel and the new mysqlclient-sys
- Updated the MSRV to v1.78 as that is what Diesel mandates
- Added the mimalloc crate as a patch for now to fix armv6 static builds
This probably makes #4606 possible
- Updated web-vault to v2024.5.1
- Updated GitHub Actions
Fixed an issue with the localhost images for extracting the musl binaries.
|
|
* Update rust and remove unused header values
* Missed one unused var
|
|
- Updated JS/CSS dependencies
- Fixed a small issue regarding DNS IP detection
fixes #3946
fixes #3947
|
|
|
|
|
|
- needed to add double quotes, otherwise it was parsed as 3.2 instead of 3.20
|
|
|
|
- Update crates including rocket and rocket_ws
|
|
|
|
|
|
Move some ARGs closer to the build stage (potentially improving caching)
Remove redundant COPY commands
Remove redundant RUN command
Move CARGO_HOME's "&&" operator to the first line (improves consistency)
|