Part-DB 1.17.1

Part-DB 1.17.1

Important

If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8

Tip

There is a new experimental docker image, which is much faster. See this post for more info.

Tip

You can help to translate Part-DB to other languages. See this post for more info.

Security fixes

Until this version, users could upload SVG files containing JS code, that would be executed if a user opened the SVG in a new tab, allowing for a XSS vulnerability. This was only possible if the SVG files were explicitly opened in a new tab, if the file was embedded inside a Part-DB tab, then there was no risk.

Since this version, SVG files gets sanitized during upload, to prevent any JS code execution. If you have existing SVG files, you can sanitize them, by running the console command php bin/console partdb:attachments:sanitize-svg.

If you are using Part-DB with nginx, you should add the following block to your server configuration, to further harden it by setting a content security policy for SVG files.

# Set Content-Security-Policy for svg files, to block embedded javascript in there
    location ~* \.svg$ {
        add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';";
    }

For apache, this is done automatically in the .htaccess file of Part-DB.

New features

• Added barcode placeholders for C93 and datamatrix barcodes (#931, thanks to @monoxide13)

Miscellaneous

• Updated translations
• Updated dependencies

New Contributors

• @monoxide13 made their first contribution in #931

Full Changelog: v1.17.0...v1.17.1