Paperless-ngx - Package Updates

Package Updates

[1.51.2]

• Update gotenberg to 8.31.0

Package Updates

[1.51.3]

• Update paperless-ngx to 2.20.15
• Full Changelog
• Fix: use only allauth login/logout endpoints @shamoon (#12639)
• Fix: correctly scope mail account enumeration @shamoon (#12636)
• Fix: prevent intermediate change event when CustomFieldQueryAtom operator changes type @ggouzi (#12597)
• Fix: reject invalid requests to API notes endpoint @ggouzi (#12582)

Package Updates

[1.52.0]

• Update gotenberg to 8.32.0
• Full Changelog
• Reverted SSRF defaults (breaking vs 8.31.0). 8.31.0 blocked private-IP destinations by default, which broke deployments running Gotenberg inside a private network. 8.32.0 restores the 8.30.x permissive defaults. Operators with internet-facing APIs opt into the strict posture via the new flags below.
• Rejected file:// at /forms/chromium/convert/url. Submitting url=file:///tmp/... used to let an unauthenticated caller enumerate the request working directory and read other in-flight uploads as rendered PDFs. The route now returns HTTP 400 for any file:// URL.
• Required uploaded file for image / pdf stamp and watermark sources. Twelve callsites accepted stampSource=pdf or watermarkSource=pdf with an expression pointing at any path the Gotenberg process could open, even when no file was uploaded. Handlers now return HTTP 400 unless the caller uploaded a matching file.
• Scoped file:// sub-resources to the request working directory. Crafted HTML could reference another request's file:///tmp/<reqdir>/.... The CDP request handler now restricts file:// sub-resources to the current request's directory. /convert/url and /screenshot/url reject every file:// sub-resource outright.
• Hardened Chromium against DNS rebinding. A short-TTL DNS authority could return a public IP at validation and a private IP at connect. A loopback HTTP / CONNECT proxy now sits between Chromium and the network, resolves DNS once, and pins the dial to the resolved IP. Skipped when --chromium-proxy-server or --chromium-host-resolver-rules is set.
• Filtered LibreOffice outbound fetches through a proxy. Uploaded OOXML, RTF, and ODF files can embed external URLs that LibreOffice's libcurl resolves below every Go-side SSRF filter. LibreOffice now routes every outbound fetch through an in-process forward proxy on the same gotenberg.DecideOutbound path Chromium and webhook delivery use. See the four new flags below.
• Recovered webhook async panics. High-concurrency webhooks could panic the async goroutine and crash the whole process. The goroutine now snapshots the request context and recovers any future panic through the existing error path.
• LibreOffice outbound URL filtering. Four flags mirror the Chromium and webhook layout: --libreoffice-allow-list, --libreoffice-deny-list, --libreoffice-deny-private-ips, --libreoffice-deny-public-ips. All default permissive.
• IP-class filtering on four modules. chromium, webhook, api-download-from, and libreoffice each accept matching deny-private-ips and deny-public-ips flags. All default to false.
• Charts print as blank rectangles (#1531, #1532, #1534, #1535 chromedp v0.15.0 suspended the BeginFrame-driven callback dispatch loop under emulatedMediaType=print. requestAnimationFrame, ResizeObserver, IntersectionObserver, CSS transitionend, and CSS animationend all stopped firing. Pinning chromedp back to v0.14.2 restores native dispatch.

Package Updates

[1.53.0]

• Update gotenberg to 8.33.0

Package Updates

[1.54.0]

• Update gotenberg to 8.34.0
• Full Changelog
• Block content linked from untrusted locations in LibreOffice. An uploaded document could reference external (http(s)://) or local (file:///) resources that LibreOffice resolved during conversion, giving blind SSRF and a limited local-file read. The soffice profile now sets BlockUntrustedRefererLinks, so soffice refuses to load any content a document links. Embedded content is unaffected; documents relying on linked resources no longer render them.
• Factur-X / ZUGFeRD metadata (#1552). Conversions now inject the matching XMP metadata, and the API replaces the single facturx payload with dedicated form fields. Thanks @fank.
• Owner-only encryption and permissions. A new ownerPassword, independent of userPassword, plus permission controls restrict what a viewer may do without locking the document open.
• log-std-level-case (#1339). New flag to set the level field casing in standard output, lower (default) or upper. Thanks @Jaben.
• CSV conversions leaked the upload's UUID filename as a page header (#1568). Calc printed the sheet name, which was the UUID-based upload filename, as a centered page header. Now suppressed. Thanks @vapranav.
• Webhook async lost trace context. The async delivery goroutine detached from the request context and dropped the trace, breaking span continuity. It now preserves the context via context.WithoutCancel.
• ca-certificates missing in the chromium-only image. Outbound TLS could fail in the chromium-only build. The package is now installed. Thanks @osvein.
• LibreOffice core-dump retries. Retries on ErrCoreDumped are now capped and observable, and the ErrRuntimeException message is corrected.