Zettlr/Zettlr: Release v1.8.9
Creators
- Hendrik Erz1
- Tobias Diez
- Wieke
- actions-user2
- Matt Jolly
- Brli
- Gabor Nagy3
- Christian Davén4
- framatophe5
- Jory Schossau6
- A. Kaan7
- Ilya Zverev8
- Ryota Abe
- Asier Illarramendi9
- Matthew Jarvis
- Max Edmands10
- Alessio Montel
- Aidan Hobson Sayers
- Brad Erickson11
- Dilawar Singh
- Frederik Elwert12
- Gabe
- J Webb13
- Jeff George14
- kyaso15
- Steve OU16
- Ville Kukkonen
- xatier17
- 1. @Zettlr
- 2. @actions
- 3. Skyscanner
- 4. Alfa eCare AB
- 5. Framasoft
- 6. Conducto. & Michigan State University
- 7. Main Sequence Technology
- 8. Lyft @lyft
- 9. Mobile Jazz
- 10. @honeycombio
- 11. @udacity
- 12. Ruhr-University Bochum
- 13. Acquia
- 14. SRE at @acquia
- 15. RWTH Aachen
- 16. King's College London
- 17. random.choice('FLAG')
Description
HOTFIX FOR JVN#98239374 | Update Immediately!
Read our Postmortem on this issue and the last one on our blog.
This is a hotfix that fixes a potentially severe security-issue, reported to us by the Japanese cybersecurity organisation JPCERT. It was reported that due to insecure iFrame handling on our side, malicious actors could take over users' computers using specially crafted iFrame-embed codes or Markdown-documents containing such an iFrame.
This release closes this vulnerability. Specifically, the following precautions were taken:
- Now, whenever Zettlr renders an iFrame, it will omit all attributes except
src
-- in the security disclosure, the attributesrcdoc
has been used to maliciously access the test system. While this means that certain features are not supported during preview (e.g.,allowfullscreen
), remember that the attributes will still be exported so that in HTML exports, they will work. - We have added a global whitelist that by default only contains the hostnames of YouTube and Vimeo players so that those embeds work out of the box. For all other hostnames, rendering of iFrames will be blocked by default. Instead, you will be presented with a warning and be asked whether or not you want to render content from the given hostname. You can then choose to render it once, or permanently add the named hostname to the whitelist.
Note that you can completely disable any iFrame pre-rendering in your display preferences.
We would like to apologise for the inconvenience. If you are interested in how it came to this situation, please read our Postmortem on this issue.
Files
Zettlr/Zettlr-v1.8.9.zip
Files
(25.4 MB)
Name | Size | Download all |
---|---|---|
md5:3cfb98464d416368b062af96c2ea6098
|
25.4 MB | Preview Download |
Additional details
Related works
- Is supplement to
- https://github.com/Zettlr/Zettlr/tree/v1.8.9 (URL)