Page History
...
- Security fixes:
- [LOW SEVERITY] Possible to access files attached to "in-progress" submissions (DS-2614 - requires a JIRA account to access for two weeks, and then will be public). This vulnerability could allow anyone in the world to download a file attached to an "in-progress" submission if they are provided with a direct link to that file (from either UI). While a direct file link would be very hard to "guess" or stumble upon, this could allow an individual with deposit rights to make available content which has not been approved by local DSpace administrators. This vulnerability has at least existed since 5.0, but may effect versions as old as 3.0.
- Discovered by Pascal-Nicolas Becker of Technische Universität Berlin
- [LOW SEVERITY] Possible to access files attached to "in-progress" submissions (DS-2614 - requires a JIRA account to access for two weeks, and then will be public). This vulnerability could allow anyone in the world to download a file attached to an "in-progress" submission if they are provided with a direct link to that file (from either UI). While a direct file link would be very hard to "guess" or stumble upon, this could allow an individual with deposit rights to make available content which has not been approved by local DSpace administrators. This vulnerability has at least existed since 5.0, but may effect versions as old as 3.0.
- Search and browse fixes:
- OAI fixes:
- Performing a full OAI import now also cleans the OAI cache (DS-2543)
- Harvested items are now properly imported in OAI (DS-2554)
- Tombstones (deleted item status) are now properly applied for withdrawn items (DS-2593)
(note: this requires 'import' to be run, the OAI event consumer will not create tombstones automatically) dc.date.availableis now properly exposed when using the mets metadata format (DS-2598)
- Authorization policy fixes:
- Custom policies for items in workspace or workflow (eg. embargo lifts) are now ignored by AuthorizeManager (DS-2614)
NULLResource Policy types (commonly found when upgrading from DSpace < 3.0) are now handled correctly by AuthorizeManager (DS-2587)- Item-level versioning now carries across all custom policies in new item versions (eg. embargos) (DS-2358)
- Other notable fixes:
- Optimized "Select Collection" query is now disabled by default as a workaround to ensure special group lookups (LDAP, Shibboleth, IP-based) work out-of-the-box (DS-2673)
- Resolved issue where citation_pdf_url metadata was NULL for items with multiple bitstreams but no primary bitstream (DS-2603)
dc.rights metadatais now properly exposed in embedded XHTML head DC (DS-2568)
...
Overview
Content Tools