bookstack/website
Fork 4
Code Issues 5 Pull requests Activity

Actioned doc updates and advisories for v0.30

Browse source
This commit is contained in:
Dan Brown 2020-09-20 00:22:43 +01:00
commit 732c0f4e60
Signed by: danb
GPG key ID: 46D9F943C24A2EF9
3 changed files with 61 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
content/docs/admin/security.md
View file

@ -17,6 +17,7 @@ relates to BookStack itself. The security of the server BookStack is hosted on i
<li><a href="#javascript-in-page-content">JavaScript in Page Content</a></li>
<li><a href="#web-crawler-control">Web Crawler Control</a></li>
<li><a href="#secure-cookies">Secure Cookies</a></li>
<li><a href="#failed-access-logging">Failed Access Logging</a></li>
</ul>
---
@ -125,4 +126,22 @@ The rules found in the `/robots.txt` file are automatically controlled via the "
### Secure Cookies
BookStack uses cookies to track sessions, remember logins and for XSRF protection. When using HTTPS you may want to ensure that cookies are only sent back to the browser if the connection is over HTTPS. This can be enabled by setting `SESSION_SECURE_COOKIE=true` in your `.env` file.
BookStack uses cookies to track sessions, remember logins and for XSRF protection. When using HTTPS you may want to ensure that cookies are only sent back to the browser if the connection is over HTTPS. This can be enabled by setting `SESSION_SECURE_COOKIE=true` in your `.env` file.
---
<a name="failed-access-logging"></a>
### Failed Access Logging
An option is available to log failed login events to a log file which is useful to identify users having trouble logging in, track malicious login attempts or to use with tools such as Fail2Ban. This works with login attempts using the default email & password login mechanism or attempts via LDAP login. Failed attempts are **not logged** for "one-click" social or SAML2 options.
To enable this you simple need to define the `LOG_FAILED_LOGIN_MESSAGE` option in your `.env` file like so:
```bash
LOG_FAILED_LOGIN_MESSAGE="Failed login for %u"
```
The optional "%u" element of the message will be replaced with the username or email provided in the login attempt
when the message is logged. By default messages will be logged via the php `error_log` function which, in most
cases, will log to your webserver error log files.

18
content/docs/admin/updates.md
View file

@ -32,6 +32,24 @@ Check the below list for the version you are updating to for any additional inst
## Version Specific Instructions
#### Updated to v0.30 or higher
**Security** - Possible Privilege Escalation. During the v0.30 release cycle
it was advised that current privilege escalation situations are not made clear when applying role permissions.
Any user with a "Manage app settings", "Manage users" or "Manage roles & role permissions" system permission
assigned to one of their roles could technically alter their own permissions to gain wider access.
A clear advisory of these cases has been added in the UI in v0.30
but admins are advised to review which users have these permissions with the above in mind.
**LDAP & SAML Group Matching** - During the v0.30 release cycle it was found that
BookStack roles would be matched to LDAP/SAML groups based upon the role display name, which is expected,
but only those roles with a matching "name" value would be considered. This "name" field was redundant,
and has now been removed, but it would store a cleaned version the first-set name of the role.
All roles will now be considered before being matched on name which may mean that roles which did not sync before,
that would have been expected to based on their name, may now start to sync.
#### Updating to v0.29.3 or higher
**Security** - v0.29.3 fixes an issue where the names of restricted/private books could seen by those without permission, if added to a shelf. This issue was introduced in BookStack v0.28.0.