This action will delete this post on this instance and on all federated instances, and it cannot be undone. Are you certain you want to delete this post?
Todd Sundsted posted 10:38am
Release v3.3.7 of Ktistec
Release v3.3.7 of Ktistec fixes several bugs and introduces two enhancements.
Security is a focus in this release. Every gap in input sanitization or escaping is a potential vulnerability, and I've been systematically closing them. I am also carefully, and maybe conservatively, restricting things like supported URL schemes and uploaded file types.
The two enhancements improve compatibility with Mastodon-compatible clients. Mastodon's OAuth tokens don't expire, and Mastodon clients don't know how to handle tokens that do. Sliding expiration ensures that tokens in active use stay alive, while unused tokens eventually expire.
Here's the full changelog:
Added
- Sliding token expiration for OAuth2 access tokens.
- Mastodon-compatible API:
/api/v1/accounts/update_credentialsendpoint.
Fixed
- Prevent pinning of (and auto-unpin) private objects.
- Don't save a quote if the quoted actor cannot be dereferenced.
- Fix rendering of federated actor profile attachment values.
- Remove
hrefattributes with unsafe schemes from sanitized HTML. - Escape interpolated values in view helpers and the actor icon streaming refresh.
- Restrict upload extensions and serve uploads with
X-Content-Type-Options: nosniff. - Escape
publicKeyand scrubTag.href. - Sanitizer no longer permits single-quote attribute injection.
- Ensure bearer-token sessions cannot reach the web UI.
- Require client authentication on the OAuth token endpoint.
I'm working on performance improvements for the next release. A rewrite of the Slang template library looks like it will cut both build time and executable size by around 10%!
📡 Stay tuned!