_pro 4.12.6

Prev Next

Release notes - Lobster _pro 4.12.6

Release date: 2024-09-16

Among other things, this patch closes medium to weak vulnerabilities in the REST interface. Under certain circumstances, single-line files without URL characters could be read via XXE exploits. In addition, the anonymous endpoints 'system/info', 'system/version', etc. have been secured with authentication.

Features

PRO-41417

[Custom Type Definitions] The overview and details labels can now be defined in the type definition

PRO-42397

[Event Handling] A "Unit Number" can now be converted into a "Numeric Value"

PRO-42505

[Form Renderer] IFrame elements now also accept raw HTML as input value

Bug fixes

PRO-42519

[Event Handling][REST API] The PUT and PATCH methods of the "HTTP call" action work as expected again

PRO-42481

[Security] XML DTD and External Entity Processing for application/xml and client/xml content types have been disabled. This had made XXE exploits possible to a certain extent (see https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing). Files containing only one line and no major URL characters could be read

PRO-42506

[General] Fixed several issues with the object editor

PRO-42522

[Security] Anonymous REST service endpoints are no longer accessible without authentication. REST endpoints such as "system/info" and "system/version" previously returned data without authentication and are now secured via an authentication process

PRO-42521

[General] Custom online help URL links will now be opened via a simple URL call instead of a "form" POST. The previous approach could lead to Content Security Policy violations if the target URL was not pointing to the host system, causing the link not to open at all

PRO-42476

[Custom Subroutines] Variables written by output parameters of custom subroutines are now consistently available afterwards

PRO-42409

[Custom Type Definitions][Meta Exchange] The progress indicator of e.g. import jobs did not terminate in case of an error

PRO-42520

[Event Handling][SQL Actor / SQL Value Resolver] NULL values of Datetimes and Timestamps are now read correctly

PRO-42529

[Form Designer] Editor test mode could not be stopped while a "Form data loaded" behaviour was running. This could happen due to long-running behaviour operations or a timed behaviour delay. A warning is now raised to inform the configurator about such behaviours

PRO-42469

[UI] Entities licensed with 0 capacity are removed from the menu and permission trees. For example, if the license does not allow saving any "Print Document" (limit: 0), the menu entry and role permission will be removed entirely