NewAI Enhanced
ZeroNet version 0.7.1
Breaking Changes
- Security: Wrapper template HTML injection vulnerability patched (rev4188+) — sites can no longer gain unrestricted WebSocket ADMIN/NOSANDBOX access or modify client config
Features
- UiPluginManager plugin for third-party plugin management and installation
- Full OpenSSL 1.1 support
- Fake SNI and ALPN headers on peer connections for standard HTTPS parity
Fixes
- Merged site data now loads immediately instead of after 5-second delay
- WebSocket connections restricted to known origins;
open_browserconfig values sanitized
UI
- Pull down top-right 0 button to access console
- Pull down top-right 0 button to show console
- New UiPluginManager plugin: Manage and install third-party plugins.
- Full support of OpenSSL 1.1 (Thanks to radfish & imachug)
- Fix a bug that did not load merged site data for 5 sec after the site got added
- Add fake SNI and ALPN to peer connections to make it more like standard https connections
Important security update:
Wrapper template HTML injection vulnerability [Reported by ivanq]
In ZeroNet before rev4188 the wrapper template variables was rendered incorrectly.
Result: The opened site was able to gain WebSocket connection with unrestricted ADMIN/NOSANDBOX access, change configuration values and possible RCE on the client's machine.
Fix: Fixed the template rendering code, disallowed WebSocket connections from unknown locations, restricted open_browser configuration values to avoid possible RCE in case of sandbox escape.