PrivateBin release 1.7.6 switched to WASM streaming & eliminated unsa…

…fe-eval CSP
PrivateBin · Feb 1, 2025 · a03f563 · a03f563
1 parent 31e8871
commit a03f563
Show file tree

Hide file tree

Showing 7 changed files with 71 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Change Log
 
+# 0.15.0
+- PrivateBin release 1.7.6 switched to WASM streaming & eliminated unsafe-eval CSP
+- bump libraries
+
 # 0.14.0
 - switch to rust 1.78 to support diesel_migrations 2.2.0
 - bump libraries

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "directory"
-version = "0.14.0"
+version = "0.15.0"
 authors = ["El RIDO <[email protected]>"]
 edition = "2021"
 license = "AGPL-3.0"

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 FROM scratch
-ARG RELEASE=0.14.0
+ARG RELEASE=0.15.0
 LABEL [email protected] \
       org.opencontainers.image.vendor=PrivateBin \
       org.opencontainers.image.documentation=https://github.com/PrivateBin/Directory/blob/master/README.md \

diff --git a/Dockerfile.standalone b/Dockerfile.standalone
@@ -1,5 +1,5 @@
 FROM rust:1.78-alpine3.20
-ARG RELEASE=0.14.0
+ARG RELEASE=0.15.0
 RUN apk --no-cache update && \
     apk add --no-cache \
         musl-dev \
@@ -16,7 +16,7 @@ RUN wget -qO - https://github.com/PrivateBin/Directory/archive/${RELEASE}.tar.gz
     upx --ultra-brute target/release/directory
 
 FROM scratch
-ARG RELEASE=0.14.0
+ARG RELEASE=0.15.0
 LABEL [email protected] \
       org.opencontainers.image.vendor=PrivateBin \
       org.opencontainers.image.documentation=https://github.com/PrivateBin/Directory/blob/master/README.md \

diff --git a/LICENSE.md b/LICENSE.md
@@ -20,7 +20,7 @@ This document lists the licenses of the projects used in the instance directory.
 
 #### Used by
 
-- [directory](https://crates.io/crates/directory) 0.14.0
+- [directory](https://crates.io/crates/directory) 0.15.0
 
 ```
 GNU AFFERO GENERAL PUBLIC LICENSE
@@ -8631,7 +8631,6 @@ THE SOFTWARE.
 #### Used by
 
 - [hyper](https://github.com/hyperium/hyper) 0.14.32
-- [hyper](https://github.com/hyperium/hyper) 1.5.2
 
 ```
 Copyright (c) 2014-2021 Sean McArthur
@@ -8687,6 +8686,34 @@ THE SOFTWARE.
 
 #### Used by
 
+- [hyper](https://github.com/hyperium/hyper) 1.6.0
+
+```
+Copyright (c) 2014-2025 Sean McArthur
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the &quot;Software&quot;), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+```
+### <a id="MIT"></a>MIT License
+
+#### Used by
+
 - [ring](https://github.com/briansmith/ring) 0.17.8
 
 ```
@@ -9269,7 +9296,7 @@ SOFTWARE.
 
 #### Used by
 
-- [tokio-macros](https://github.com/tokio-rs/tokio) 2.4.0
+- [tokio-macros](https://github.com/tokio-rs/tokio) 2.5.0
 
 ```
 MIT License
@@ -9383,7 +9410,7 @@ THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRES
 
 - [tokio-stream](https://github.com/tokio-rs/tokio) 0.1.17
 - [tokio-util](https://github.com/tokio-rs/tokio) 0.7.13
-- [tokio](https://github.com/tokio-rs/tokio) 1.42.0
+- [tokio](https://github.com/tokio-rs/tokio) 1.43.0
 
 ```
 MIT License

diff --git a/src/models.rs b/src/models.rs
@@ -22,11 +22,33 @@ use url::Url;
 
 pub const CSP_RECOMMENDATION: &str = "default-src 'none'; base-uri 'self'; \
     form-action 'none'; manifest-src 'self'; connect-src * blob:; \
-    script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; \
+    script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; font-src 'self'; \
     frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; \
     object-src blob:; sandbox allow-same-origin allow-scripts allow-forms \
     allow-popups allow-modals allow-downloads";
 static CSP_MAP: &[(&str, &str)] = &[
+    // since 1.7.6, with bootstrap
+    ("1.7.6", CSP_RECOMMENDATION),
+    // since 1.7.6, with bootstrap5
+    (
+        "1.7.6",
+        "default-src 'self'; base-uri 'self'; form-action 'none'; \
+        manifest-src 'self'; connect-src * blob:; script-src 'self' \
+        'wasm-unsafe-eval'; style-src 'self'; font-src 'self'; \
+        frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; \
+        object-src blob:; sandbox allow-same-origin allow-scripts allow-forms \
+        allow-modals allow-downloads",
+    ),
+    // since 1.7.2, with bootstrap5
+    (
+        "1.7.",
+        "default-src 'self'; base-uri 'self'; form-action 'none'; \
+        manifest-src 'self'; connect-src * blob:; script-src 'self' \
+        'unsafe-eval'; style-src 'self'; font-src 'self'; \
+        frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; \
+        object-src blob:; sandbox allow-same-origin allow-scripts allow-forms \
+        allow-modals allow-downloads",
+    ),
     (
         "1.3.5",
         "default-src 'none'; manifest-src 'self'; connect-src * blob:; \
@@ -63,18 +85,16 @@ static CSP_MAP: &[(&str, &str)] = &[
         script-src 'self'; style-src 'self'; font-src 'self'; \
         img-src 'self' data:; referrer no-referrer;",
     ),
-    // since 1.7.2, with bootstrap5
+    // since 1.4
     (
-        "1.7.",
-        "default-src 'self'; base-uri 'self'; form-action 'none'; \
-        manifest-src 'self'; connect-src * blob:; script-src 'self' \
-        'unsafe-eval'; style-src 'self'; font-src 'self'; \
-        frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; \
-        object-src blob:; sandbox allow-same-origin allow-scripts allow-forms \
-        allow-modals allow-downloads",
+        "1.",
+        "default-src 'none'; base-uri 'self'; form-action 'none'; \
+    manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; \
+    style-src 'self'; font-src 'self'; frame-ancestors 'none'; \
+    img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox \
+    allow-same-origin allow-scripts allow-forms allow-popups allow-modals \
+    allow-downloads",
     ),
-    // since 1.4
-    ("1.", CSP_RECOMMENDATION),
 ];
 const OBSERVATORY_API: &str = "https://observatory-api.mdn.mozilla.net/api/v2/scan?host=";
 const OBSERVATORY_MAX_CONTENT_LENGTH: u64 = 10240;