Page History

Major bug fixes include:

• JSPUI security fixes: 
  • [LOW SEVERITY] Cross-site scripting (XSS injection) is possible in JSPUI search interface (in Firefox web browser). (DS-2736 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to embed dangerous Javascript code into links to search results. If a user was emailed such a link and clicked it, the javascript would be run in their local browser. This vulnerability has existed since DSpace 3.x 
  • [LOW SEVERITY] Expression language injection (EL Injection) is possible in JSPUI search interface. (DS-2737 - requires a JIRA account to access for two weeks, and then will be public): This vulnerability could allow someone to obtain information from the site/server using JSP syntax. This vulnerability has existed since DSpace 3.x
    
• Google Scholar fix:
  • Google Scholar metadata did not guarantee proper ordering of authors (DS-2679)
• Discovery / Solr fixes:
  
  • Resolved a significant memory leak when searching/browsing (gradual leak) (DS-2869)
  • Resolved a significant memory spike when reindexing (only triggered when running "index-discovery" with no arguments) (DS-2832)
  • Solr logging was broken. It did not properly log to the "[dspace]/log/solr.log" files (DS-2790))
  • Fixes to allow fielded or boolean searches to work once again (DS-2699, DS-2803)
• OAI-PMH fixes:Several fixes in the xoai library (changes in xoai
  • Upgraded the XOAI library to
  • 3.2.10 to resolve several fixes
  • OAI did not support harvesting by date (YYYY-MM-DD) without a time (DS-2524, DS-2542)
  • OAI was ignoring the "dspace.oai.url" setting in "oai.cfg" (DS-2744)
  • OAI getRecord was wrongly including all virtual sets (DS-2573)
• REST API fixes
  • /handle not reflecting updates (DS-2692)

  • /collections/<id>/items ignores offset parameter (DS-2719)