Indico

-------------

*Released on April 08, 2020*

Security fixes
^^^^^^^^^^^^^^

- Update `bleach <https://github.com/mozilla/bleach>`__ to fix a regular expression
denial of service vulnerability
- Update `Pillow <https://github.com/python-pillow/Pillow>`__ to fix a buffer overflow
vulnerability

-------------

*Released on March 23, 2020*

Improvements
^^^^^^^^^^^^

- Add support for event labels to indicate e.g. postponed or cancelled
events (:issue:`3199`)

Bugfixes
^^^^^^^^

- Allow slashes in roomName export API
- Show names instead of IDs of local groups in ACLs (:issue:`3700`)

-------------

*Released on February 27, 2020*

Bugfixes
^^^^^^^^

- Fix some email fields (error report contact, agreement cc address) being
required even though they should be optional
- Avoid browsers prefilling stored passwords in togglable password fields
such as the event access key
- Make sure that tickets are not attached to emails sent to registrants for whom
tickets are blocked (:issue:`4242`)
- Fix event access key prompt not showing when accessing an attachment link
(:issue:`4255`)
- Include event title in OpenGraph metadata (:issue:`4288`)
- Fix error when viewing abstract with reviews that have no scores
- Update requests and pin idna to avoid installing incompatible dependency versions
(:issue:`4327`)

-------------

*Released on December 06, 2019*

Improvements
^^^^^^^^^^^^

- Sort posters in timetable PDF export by board number (:issue:`4147`, thanks
:user:`bpedersen2`)
- Use lat/lng field order instead of lng/lat when editing rooms (:issue:`4150`,
thanks :user:`bpedersen2`)
- Add additional fields to the contribution csv/xlsx export (authors and board
number) (:issue:`4148`, thanks :user:`bpedersen2`)

Bugfixes
^^^^^^^^

- Update the Pillow library to 6.2.1. This fixes an issue where some malformed images
could result in high memory usage or slow processing.
- Truncate long speaker names in the timetable instead of hiding them (:issue:`4110`)
- Fix an issue causing errors when using translations for languages with no plural
forms (like Chinese).
- Fix creating rooms without touching the longitude/latitude fields (:issue:`4115`)
- Fix error in HTTP API when Basic auth headers are present (:issue:`4123`,
thanks :user:`uxmaster`)
- Fix incorrect font size in some room booking dropdowns (:issue:`4156`)
- Add missing email validation in some places (:issue:`4158`)
- Reject requests containing NUL bytes in the POST data (:issue:`4159`)
- Fix truncated timetable PDF when using "Print each session on a separate page" in
an event where the last timetable entry of the day is a top-level contribution
or break (:issue:`4134`, thanks :user:`bpedersen2`)
- Only show public contribution fields in PDF exports (:issue:`4165`)
- Allow single arrival/departure date in accommodation field (:issue:`4164`,
thanks :user:`bpedersen2`)

-------------

*Released on October 16, 2019*

Security fixes
^^^^^^^^^^^^^^

- Fix more places where LaTeX input was not correctly sanitized. While the biggest
security impact (reading local files) has already been mitigated when fixing the
initial vulnerability in the previous release, it is still strongly recommended
to update.

-------------

*Released on October 08, 2019*

Security fixes
^^^^^^^^^^^^^^

- Strip `, ``+``, ``-`` and ``=`` from the beginning of strings when exporting
CSV files to avoid `security issues <https://www.owasp.org/index.php/CSV_Injection>`__
when opening the CSV file in Excel
- Use 027 instead of 000 umask when temporarily changing it to get the current umask
- Fix LaTeX sanitization to prevent malicious users from running unsafe LaTeX commands
through specially crafted abstracts or contribution descriptions, which could lead to
the disclosure of local file contents

Improvements
^^^^^^^^^^^^

- Improve room booking interface on small-screen devices (:issue:`4013`)
- Add user preference for room owners/manager to select if they want to
receive notification emails for their rooms (:issue:`4096`, :issue:`4098`)
- Show family name field first in user search dialog (:issue:`4099`)
- Make date headers clickable in room booking calendar (:issue:`4099`)
- Show times in room booking log entries (:issue:`4099`)
- Support disabling server-side LaTeX altogether and hide anything that
requires it (such as contribution PDF export or the Book of Abstracts).
**LaTeX is now disabled by default, unless the** :data:`XELATEX_PATH`
**is explicitly set in** ``indico.conf``.


Bugfixes
^^^^^^^^

- Remove 30s timeout from dropzone file uploads
- Fix bug affecting room booking from an event in another timezone (:issue:`4072`)
- Fix error when commenting on papers (:issue:`4081`)
- Fix performance issue in conferences with public registration count and a
high amount of registrations
- Fix confirmation prompt when disabling conference menu customizations
(:issue:`4085`)
- Fix incorrect days shown as weekend in room booking for some locales
- Fix ACL entries referencing event roles from the old event when cloning an
event with event roles in the ACL. Run ``indico maint fix-event-role-acls``
after updating to fix any affected ACLs (:issue:`4090`)
- Fix validation issues in coordinates fields when editing rooms (:issue:`4103`)