This should be the last beta release before we tag version 1.0.0. When 1.0.0 is tagged, Airship will be in the scope of our bug bounty on HackerOne.
Paragon Initiative Enterprises is a little different from most vendors: We can tolerate full disclosure. Any updates we release will be deployed, by default, within an hour of their availability.
Changes
- Implemented a secure account recovery implementation, wherein users can opt out of account recovery entirely, or supply a GPG public key. We send a random, short-lived token to the email address on file (since Airship doesn't store plaintext passwords). If a GPG public key is available, their account recovery email will be encrypted by GnuPG.
- Turned all of the Cabin classes into Gears, so that Gadgets can extend their functionality.
- Gadgets can also override the selected Lens, transparently.
- Added the option to cache blog posts and blog listings. If cached, comments will be loaded from AJAX instead of in the page itself. This should allow a single blog post to handle over 10,000 requests per second without a sweat.
- Updated jQuery to 3.0.0.
- Regenerate session IDs on login. Thanks @kelunik for bringing this oversight to our attention.
- Implemented progressive rate-limiting based on two factors: IP subnet and username. This covers both the login form and the account recovery form.
- You can now specify HPKP headers on a per-Cabin basis, via the Cabin Management screen.
- You can now add/remove Cabins, Gadgets, and Motifs from the Bridge.
- Sysadmins can "lock" installs to prevent an admin account compromise from
leading to a vulnerable extension from being installed and subsequently
used by an attacker to compromise the server. Locks come in two varieties:
- Password-based locks, where you must enter a separate password to install a new extension.
- Absolute locks, which can only be removed by the sysadmin.
- In Landings,
$this->lens()will now terminate script execution. If you need to fetch the output (e.g. for caching), use$this->lensRender()instead. - Implemented input filters which work on multidimensional arrays (e.g
$_POST). We provide a few examples (one for each cabin's custom config and one for the universal config). - Implemented optional Two-Factor Authentication support via TOTP (e.g. Google Authenticator).
- Airship now supports in-memory caching via APCu instead of the filesystem.
- Comments are now loaded with AJAX when you elect to cache a blog post.
- When you delete a custom directory, you can elect to create redirects automatically to guide your passengers to the correct destination.
