Skip to content

LORIS Release v17.0.5
Compare
Choose a tag to compare
@driusan driusan released this 21 Jun 16:00
· 6 commits to 17.0-dev since this release
v17.0.5
c0bdd48

This release fixes bugs found since v17.0.4 was released. Users of LORIS v17.0.x are strongly encouraged to upgrade in order to receive the two security fixes (and 3 other minor bug fixes) described below.

LORIS instances which have a JWTKey setting which does not meet the new key strength requirement checks will need to change their JWTKey setting in the configuration module in order to use the API. (The new requirements are similar to the LORIS password requirements, except must also be at least 20 characters long since it's never directly entered by a user.)

Changes

  • The check which verifies that a user is not downloading a file that they shouldn't have access to in get_file.php proved to be insufficient. It now performs an extra check.
  • A check of key strength is added to the JWT tokens used for the API. (This JWT key is randomly generated by the LORIS installer, but older projects which upgraded LORIS may not have updated their keys to a secure key, so weak keys are ignored in order to ensure that upgraded LORIS instances don't have the default key.)
  • A bug in an SQL query in the examiner module with MySQL 5.7 regarding the only_full_groupby setting has been fixed.
  • A bug causing Date_taken to not be properly resolved in the conflict resolver has been fixed.
  • The conflict resolver now shows Examiner's full name, rather than their ID, to make it easier to resolve data entry conflicts in examiner.
Assets 2
Loading