When a icon blacklist regex was configured to not check for a domain, it
still did a DNS lookup first. This could cause a DNS leakage for these
regex blocked domains.
This PR resolves this issue by first checking the regex, and afterwards
the other checks.
Fixes #2909
In the upcomming web-vault and other clients they changed the register
endpoint from `/api/accounts/register` to `/identity/register`.
This PR adds the new endpoint to already be compatible with the new
clients.
Fixes #2889
The DuckDuckGo email service is not supported for self-hosted servers.
This option is already hidden via the latest web-vault.
This PR also removes some server side headers.
Fixes #2828
It was possible to disable the admin security via the admin interface.
This is kinda insecure as mentioned in #2761.
This PR set this value as read-only and admin's need to set the correct ENV variable.
Currently saved settings which do override this are still valid though.
If an admin want's this removed, they either need to reset the config,
or change the value in the `config.json` file.
Fixes #2761
All uses of `get_random()` were in the form of:
`&get_random(vec![0u8; SIZE])`
with `SIZE` being a constant.
Building a `Vec` is unnecessary for two reasons. First, it uses a
very short-lived dynamic memory allocation. Second, a `Vec` is a
resizable object, which is useless in those context when random
data have a fixed size and will only be read.
`get_random_bytes()` takes a constant as a generic parameter and
returns an array with the requested number of random bytes.
Stack safety analysis: the random bytes will be allocated on the
caller stack for a very short time (until the encoding function has
been called on the data). In some cases, the random bytes take
less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit
computer). The maximum used size is 180 bytes, which makes it
for 0.008% of the default stack size for a Rust thread (2MiB),
so this is a non-issue.
Also, most of the uses of those random bytes are to encode them
using an `Encoding`. The function `crypto::encode_random_bytes()`
generates random bytes and encode them with the provided
`Encoding`, leading to code deduplication.
`generate_id()` has also been converted to use a constant generic
parameter as well since the length of the requested String is always
a constant.
Added a new endpoint which the currently beta client for at least
Android v2022.10.1 seems to be calling, and crashes with the response we
currently provide
Fixes #2890
Fixes #2891
Fixes #2892
Added a new endpoint which the currently beta client for at least
Android v2022.10.1 seems to be calling, and crashes with the response we
currently provide
Fixes #2890
Fixes #2891
Fixes #2892
Since v2022.9.x the org export uses a different endpoint.
But, since v2022.11.x this endpoint will return a different format.
See: https://github.com/bitwarden/clients/pull/3641 and https://github.com/bitwarden/server/pull/2316
To support both version in the case of users having an older client
either web-vault or cli this PR checks the version and responds using
the correct format. If no version can be determined it will use the new
format as a default.
Added a new endpoint which the currently beta client for at least
Android v2022.10.1 seems to be calling, and crashes with the response we
currently provide
Fixes #2890
Fixes #2891
Fixes #2892
Updated all the actions where possible.
This should at least for the most actions mean that they are using the
latest github actions core and should partially resolve the issue #2847
The only actions left are the actions from `actions-rs`.
if `SIGNUPS_VERIFY` is enabled new users that have been invited have
their onboarding flow interrupted because they have to first verify
their mail address before they can join an organization.
we can skip the extra verication of the email address when signing up
because a valid invitation token already means that the email address is
working and we don't allow invited users to signup with a different
address.
unfortunately, this is not possible with emergency access invitations
at the moment as they are handled differently.
Set SMTP_EMBED_IMAGES option to false if you don't want to attach images
to the mail.
NOTE: If you have customized the template files `email_header.hbs` and
`email_footer.hbs` you can replace `{url}/vw_static/` to `{img_url}`
to support both URL schemes
If you add a new user that has already been Invited to another
organization they will be Accepted automatically. This should not be
possible because they cannot be Confirmed until they have completed
their registration. It is also not necessary because their invitation
will be accepted automatically once they register.