Version 4.3.6

Released: February 19, 2023

Status: Stable

Changes

This version backports fixes from versions 4.4.3 and 4.4.4.

Authentication OTP

The interface of the library used for generating QRCodes changed and broke the OTP QRCode generation. The image interface was updated, a new test added, and the entire QRCode generation simplified to lower the changes of future regressions.

Dependencies

The Python Transifex client was remove and replace with the new Go based client. This client is OS dependent and needs to be installed manually when working with translations (https://github.com/transifex/cli).

REST API

The validation errors in the document metadata API were incorrectly causing HTTP 500 server errors. A custom REST API exception handler was added to workaround inconsistent validation exception behavior in the Django REST framework and ensure validation error raise a HTTP 400 error instead.

Tags

The tag labels are now sanitized when generating the Select2 user interface widget template. This closes the XSS weakness reported in CVE-2022-47419: Mayan EDMS Tag XSS.

This is a limited scope weakness of the tagging system markup that can be used to display an arbitrary text when selecting a tag for attachment to or removal from a document.

It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.

Attempting to exploit this weakness requires a privileged account and is not possible to enable from a guest or an anonymous account. Visitors to a Mayan EDMS installation cannot exploit this weakness.

It is also being incorrectly reported that this weakness can be used to steal the session cookie and impersonate users. Since version 1.4 (March 23, 2012) Django has included the httponly attribute for the session cookie. This means that the session cookie data, including sessionid, is no longer accessible from JavaScript. https://docs.djangoproject.com/en/4.1/releases/1.4/

Mayan EDMS currently uses Django 3.2. Under this version of Django The SESSION_COOKIE_HTTPONLY defaults to True, which enables the httponly for the session cookie making it inaccessible to JavaScript and therefore not available for impersonation via session hijacking. https://docs.djangoproject.com/en/3.2/ref/settings/#session-cookie-httponly

Django’s SESSION_COOKIE_HTTPONLY setting is not currently exposed by Mayan EDMS’ setting system, therefore it is not possible to disable this protection by conventional means.

Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.

Due to all these factors, the surface of attack of this weakness is very limited, if any.

There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.

Other

  • Ensure migration 80 of the documents app completes even when documents files exceed the maximum field size.

Removals

  • Transifex Python client.

Upgrade process

Important

If using a direct deployment, Supervisord must be upgraded to version 4.2.2. See troubleshooting section: After upgrade to version 4.1

Docker Compose

Check the Docker upgrading chapter for the complete upgrade process.

Direct deployment

Upgrading from Mayan EDMS 3.5.x

Important

Supervisord must be upgraded to version 4.2.2. See troubleshooting section: After upgrade to version 4.1

  1. Stop supervisord:

    sudo systemctl stop supervisor
    
  2. Make a backup of your supervisord file:

    sudo cp /etc/supervisor/conf.d/mayan-edms.conf /etc/supervisor/conf.d/mayan-edms.conf.bck
    
  3. Make a backup of your database:

    Use the respective backup command for the database:

  4. Upgrade to the latest pip version:

    sudo --user=mayan /opt/mayan-edms/bin/pip install --upgrade pip
    
  5. Remove deprecated requirements:

    sudo --user=mayan curl https://gitlab.com/mayan-edms/mayan-edms/raw/master/removals.txt --output /tmp/removals.txt \
    && sudo --user=mayan /opt/mayan-edms/bin/pip uninstall --requirement /tmp/removals.txt --yes
    
  6. Update the Mayan EDMS Python package:

    sudo --user=mayan /opt/mayan-edms/bin/pip install mayan-edms==4.4.5
    

    the requirements will also be updated automatically.

  7. Update the Redis configuration to serve at least 3 databases:

    Replace:

    databases ...
    

    with:

    databases 3
    
  8. Restart Redis for the changes to take effect:

    sudo systemctl restart redis
    
  9. Edit the config file at /opt/mayan-edms/media/config.yml:

    Replace:

    LOCK_MANAGER_BACKEND: ...
    LOCK_MANAGER_BACKEND_ARGUMENTS: ...
    

    with:

    LOCK_MANAGER_BACKEND: mayan.apps.lock_manager.backends.redis_lock.RedisLock
    LOCK_MANAGER_BACKEND_ARGUMENTS: {'redis_url':'redis://:mayanredispassword@<IP address of Redis server>:6379/2'}
    
  10. Update the supervisord configuration file. Replace the environment variables values shown here with your respective settings. This step will refresh the supervisord configuration file with the new queues and the latest recommended layout:

    sudo --user=mayan MAYAN_MEDIA_ROOT=/opt/mayan-edms/media/ \
    /opt/mayan-edms/bin/mayan-edms.py platformtemplate supervisord | sudo sh -c "cat > /etc/supervisor/conf.d/mayan-edms.conf"
    
  11. Edit the supervisord configuration file and update any setting specific to your installation:

    sudo vi /etc/supervisor/conf.d/mayan-edms.conf
    
  12. Migrate existing database schema and static media files with:

    sudo --user=mayan MAYAN_MEDIA_ROOT=/opt/mayan-edms/media/ \
    /opt/mayan-edms/bin/mayan-edms.py performupgrade
    
  13. Start supervisord:

    sudo systemctl start supervisor
    
  14. Clear the browser cache to avoid loading old web assets.

The upgrade procedure is now complete.

Troubleshooting

Follow the solutions outlined in the troubleshooting section: After upgrade to version 4.1

Backward incompatible changes

  • None

Deprecations

  • None

Issues closed

  • None