What was planned to be a minor #release after last month one turned out to be a major release regarding the number of changes, new features and fixes that were made in the meantime. Let's have a look!

Edit: a small fix was made just after the release, it is available in a v0.27.1 release.

Important security fix: remote code execution through unsafe unserialize

An important security issue was discovered just before this release, and it was decided to directly fix and release it. We are strongly encouraging you to upgrade your instance to this version.

Context

For more than ten years now Movim has saved its user configuration in a dedicated PubSub node on the user XMPP profile. This allows the user to keep its Movim instances synchronized and get their configuration back if they choose to migrate to a new instance.

Back then, it was decided to simply save the PHP configuration as a serialized string in a PubSub node item.

A malicious person could then inject in its own XMPP profile a malicious serialized string that Movim will try to parse when connecting making Movim vulnerable to a remote code execution attack. This related blog post explains it quite well.

Security fix

The serialize and unserialize related code has been completely replaced and rewritten. Movim is now publishing its configuration as a standard XEP-0004: Data Forms now which is also cleaner and easier to handle.

What's new?

First steps of the Movim Live video-conferencing project

Last month we announced that NLNet was funding a large set of features around video-conferencing in Movim.

This release brings the first important changes live 🎉

Moving the pop-up back to the main tab

When video-conferencing was first added to Movim the platform was not yet a full Progressive Web App and the pages were reloading the Javascript environment completely each time the user clicked on a new link. The video-conferences were then moved to a dedicated pop-up to ensure that the connection was not accidentally reloaded during the call.

A lot of work has been done over the past few releases to keep the Javascript session alive and load the content dynamically when navigating on the platform.

This release not only brings back the video-conference window in the main tab but also integrates it dynamically into the discussions.

Introducing the floating, chat-integrated, and full-screen modes

When making a call you will now be able to switch dynamically between the different modes.

When chatting with the person the video and audio call are integrated directly on top of the discussion. It automatically switches to floating mode on the other pages. Some more work regarding those modes and their integrations will be planned in the future.

It is also possible to quickly switch to full-screen mode anytime if you want to really focus on the call with your friend.

Current call status

With the reintegration of the popup a lot of work was also done in the backend to keep track of all the events of the call. A specific CurrentCall object was created allowing the interface to be aware in real time of the call status.

The chats list and header now display a blinking "In call" status.

Modernization of the XMPP Jingle stack

The related pull request also brings a huge refactoring of the video-conferencing Javascript code and a modernization of the Jingle stack, fixing a few bugs along the way.

This is just the beginning

Those are just the first few steps. In the upcoming months we are planning to integrate multi-participant calls as well as server-side handled video-calls. Stay tuned, the Movim Live project will really bring a lots of awesome surprises!

Database refactorings, cleanups and UI fixes

Movim was storing a few pieces of data as serialized objects in the Cache table, including the status of incoming invitations and notifications, open chats and the last article read. The related caches table was completely removed and the related data is now stored properly in dedicated tables.

Along the way, some broken migrations were also fixed and the related database libraries were updated.

A lot of small UI bugs were also fixed in this version.

What's next?

The Movim Live project will be the main priority in the upcoming months.

We are expecting some surprises and difficulties along the way, so no promise can be made regarding the deadlines and the features to come in the upcoming release.

Don't forget to share this release around and support us if you like what we're doing 😊

That's all folks!

#nlnet #security #videoconference #database