v1.11.81

while we work out why 24 fails

.github/workflows/backport.yml

@@ -10,7 +10,7 @@ on:
 jobs:
     backport:
         name: Backport
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         # Only react to merged PRs for security reasons.
         # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
         if: >

.github/workflows/build_and_deploy.yaml

@@ -99,7 +99,7 @@ jobs:
             - macos
             - linux
             - windows
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         name: ${{ needs.prepare.outputs.deploy == 'true' && 'Deploy' || 'Deploy (dry-run)' }}
         if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
         environment: ${{ needs.prepare.outputs.deploy == 'true' && 'packages.element.io' || '' }}
@@ -252,7 +252,7 @@ jobs:
 
     deploy-ess:
         needs: deploy
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         name: Deploy builds to ESS
         if: needs.prepare.outputs.deploy == 'true' && github.event_name == 'release'
         env:

.github/workflows/build_and_test.yaml

@@ -60,12 +60,12 @@ jobs:
                           rsync -a /Volumes/Element/Element.app ~/Applications/ &&
                           hdiutil detach /Volumes/Element
                     - name: "Linux (amd64) (sqlcipher: system)"
-                      os: ubuntu-latest
+                      os: ubuntu-22.04
                       artifact: linux-amd64-sqlcipher-system
                       executable: "/opt/Element/element-desktop"
                       prepare_cmd: "sudo apt-get -qq update && sudo apt install ./dist/*.deb"
                     - name: "Linux (amd64) (sqlcipher: static)"
-                      os: ubuntu-latest
+                      os: ubuntu-22.04
                       artifact: linux-amd64-sqlcipher-static
                       executable: "/opt/Element/element-desktop"
                       prepare_cmd: "sudo apt-get -qq update && sudo apt install ./dist/*.deb"

.github/workflows/build_linux.yaml

@@ -26,7 +26,7 @@ jobs:
     # We build the hak files on native infrastructure as matrix-seshat fails to cross-compile properly
     # https://github.com/matrix-org/seshat/issues/135
     hak:
-        runs-on: ${{ inputs.arch == 'arm64' && 'dind-l-arm64' || 'ubuntu-latest' }}
+        runs-on: ${{ inputs.arch == 'arm64' && 'dind-l-arm64' || 'ubuntu-22.04' }}
         env:
             HAK_DOCKER_IMAGE: ghcr.io/element-hq/element-desktop-dockerbuild
         outputs:
@@ -148,7 +148,7 @@ jobs:
 
     build:
         needs: hak
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         steps:
             - uses: actions/checkout@v4
 

.github/workflows/build_prepare.yaml

@@ -45,7 +45,7 @@ jobs:
     prepare:
         name: Prepare
         environment: ${{ inputs.nightly && 'packages.element.io' || '' }}
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         outputs:
             nightly-version: ${{ steps.versions.outputs.nightly }}
         steps:

.github/workflows/dockerbuild.yaml

@@ -12,7 +12,7 @@ env:
 jobs:
     build:
         name: Docker Build
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         permissions:
             contents: read
             packages: write

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
     check:
         name: Post release checks
         needs: release
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         steps:
             - name: Wait for desktop packaging
               uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork

.github/workflows/static_analysis.yaml

@@ -6,7 +6,7 @@ on:
 jobs:
     ts_lint:
         name: "Typescript Syntax Check"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         steps:
             - uses: actions/checkout@v4
 
@@ -30,7 +30,7 @@ jobs:
 
     js_lint:
         name: "ESLint"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         steps:
             - uses: actions/checkout@v4
 
@@ -48,7 +48,7 @@ jobs:
 
     workflow_lint:
         name: "Workflow Lint"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         steps:
             - uses: actions/checkout@v4
 
@@ -66,7 +66,7 @@ jobs:
 
     analyse_dead_code:
         name: "Analyse Dead Code"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         steps:
             - uses: actions/checkout@v4
 

.github/workflows/triage-incoming.yml

@@ -6,7 +6,7 @@ on:
 
 jobs:
     automate-project-columns-next:
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         steps:
             - uses: actions/add-to-project@main
               with:

CHANGELOG.md

@@ -1,3 +1,37 @@
+Changes in [1.11.81](https://github.com/element-hq/element-desktop/releases/tag/v1.11.81) (2024-10-15)
+======================================================================================================
+This release fixes High severity vulnerability CVE-2024-47771 / GHSA-963w-49j9-gxj6.
+
+Changes in [1.11.80](https://github.com/element-hq/element-desktop/releases/tag/v1.11.80) (2024-10-08)
+======================================================================================================
+## ✨ Features
+
+* enable Element Call on desktop nightly ([#1873](https://github.com/element-hq/element-desktop/pull/1873)). Contributed by @fkwp.
+* Add doc for 'force\_verification config option ([#28035](https://github.com/element-hq/element-web/pull/28035)). Contributed by @dbkr.
+* Roll back change to device isolation mode ([#104](https://github.com/element-hq/matrix-react-sdk/pull/104)). Contributed by @richvdh.
+* Remove right panel toggling behaviour on room header buttons ([#100](https://github.com/element-hq/matrix-react-sdk/pull/100)). Contributed by @t3chguy.
+* Improve error display for messages sent from insecure devices ([#93](https://github.com/element-hq/matrix-react-sdk/pull/93)). Contributed by @richvdh.
+* Add labs option to exclude unverified devices ([#92](https://github.com/element-hq/matrix-react-sdk/pull/92)). Contributed by @richvdh.
+* Improve contrast for timestamps, date separators \& spotlight trigger ([#91](https://github.com/element-hq/matrix-react-sdk/pull/91)). Contributed by @t3chguy.
+* Open room settings on room header avatar click ([#88](https://github.com/element-hq/matrix-react-sdk/pull/88)). Contributed by @t3chguy.
+* Use `strong` over `b` for improved a11y semantics ([#41](https://github.com/element-hq/matrix-react-sdk/pull/41)). Contributed by @t3chguy.
+* Grant Element Call widget capabilities for "raise hand" feature ([#82](https://github.com/element-hq/matrix-react-sdk/pull/82)). Contributed by @AndrewFerr.
+* Mobile registration optimizations and tests ([#62](https://github.com/element-hq/matrix-react-sdk/pull/62)). Contributed by @langleyd.
+* Ignore chat effect when older than 48h ([#48](https://github.com/element-hq/matrix-react-sdk/pull/48)). Contributed by @florianduros.
+
+## 🐛 Bug Fixes
+
+* Update native OIDC callback url to be RFC8252 compliant ([#28096](https://github.com/element-hq/element-web/pull/28096)). Contributed by @t3chguy.
+* Update icons to include transparency ([#28040](https://github.com/element-hq/element-web/pull/28040)). Contributed by @t3chguy.
+* Fix default\_widget\_container\_height in sample config ([#28034](https://github.com/element-hq/element-web/pull/28034)). Contributed by @dbkr.
+* Fix untranslated keys being rendered in `/help` dialog ([#90](https://github.com/element-hq/matrix-react-sdk/pull/90)). Contributed by @t3chguy.
+* Ensure timeline search results are visible even in video rooms ([#96](https://github.com/element-hq/matrix-react-sdk/pull/96)). Contributed by @t3chguy.
+* Pop right panel timeline when unmaximising widget to avoid double timeline ([#94](https://github.com/element-hq/matrix-react-sdk/pull/94)). Contributed by @t3chguy.
+* Fix accessible label on left panel spotlight trigger ([#87](https://github.com/element-hq/matrix-react-sdk/pull/87)). Contributed by @t3chguy.
+* Crypto: fix display of device key ([#86](https://github.com/element-hq/matrix-react-sdk/pull/86)). Contributed by @richvdh.
+
+
+
 Changes in [1.11.79](https://github.com/element-hq/element-desktop/releases/tag/v1.11.79) (2024-10-01)
 ======================================================================================================
 * No changes

package.json

@@ -2,7 +2,7 @@
     "name": "element-desktop",
     "productName": "Element",
     "main": "lib/electron-main.js",
-    "version": "1.11.79",
+    "version": "1.11.81",
     "description": "A feature-rich client for Matrix.org",
     "author": "Element",
     "homepage": "https://element.io",

src/media-auth.ts

@@ -33,39 +33,74 @@ async function getAccessToken(window: BrowserWindow): Promise<string | undefined
     });
 }
 
+/**
+ * Get the homeserver url
+ * This requires asking the renderer process for the homeserver url.
+ */
+async function getHomeserverUrl(window: BrowserWindow): Promise<string> {
+    return new Promise((resolve) => {
+        ipcMain.once("homeserverUrl", (_, homeserver) => {
+            resolve(homeserver);
+        });
+        window.webContents.send("homeserverUrl"); // ping now that the listener exists
+    });
+}
+
 export function setupMediaAuth(window: BrowserWindow): void {
     session.defaultSession.webRequest.onBeforeRequest(async (req, callback) => {
         // This handler emulates the element-web service worker, where URLs are rewritten late in the request
         // for backwards compatibility. As authenticated media becomes more prevalent, this should be replaced
         // by the app using authenticated URLs from the outset.
-        let url = req.url;
-        if (!url.includes("/_matrix/media/v3/download") && !url.includes("/_matrix/media/v3/thumbnail")) {
-            return callback({}); // not a URL we care about
-        }
+        try {
+            const url = new URL(req.url);
+            if (
+                !url.pathname.startsWith("/_matrix/media/v3/download") &&
+                !url.pathname.startsWith("/_matrix/media/v3/thumbnail")
+            ) {
+                return callback({}); // not a URL we care about
+            }
 
-        const supportedVersions = await getSupportedVersions(window);
-        // We have to check that the access token is truthy otherwise we'd be intercepting pre-login media request too,
-        // e.g. those required for SSO button icons.
-        const accessToken = await getAccessToken(window);
-        if (supportedVersions.includes("v1.11") && accessToken) {
-            url = url.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
-            return callback({ redirectURL: url });
-        } else {
-            return callback({}); // no support == no modification
+            const supportedVersions = await getSupportedVersions(window);
+            // We have to check that the access token is truthy otherwise we'd be intercepting pre-login media request too,
+            // e.g. those required for SSO button icons.
+            const accessToken = await getAccessToken(window);
+            if (supportedVersions.includes("v1.11") && accessToken) {
+                url.href = url.href.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
+                return callback({ redirectURL: url.toString() });
+            } else {
+                return callback({}); // no support == no modification
+            }
+        } catch (e) {
+            console.error(e);
         }
     });
 
     session.defaultSession.webRequest.onBeforeSendHeaders(async (req, callback) => {
-        if (!req.url.includes("/_matrix/client/v1/media")) {
-            return callback({}); // invoke unmodified
-        }
+        try {
+            const url = new URL(req.url);
+            if (!url.pathname.startsWith("/_matrix/client/v1/media")) {
+                return callback({}); // invoke unmodified
+            }
 
-        // Only add authorization header to authenticated media URLs. This emulates the service worker
-        // behaviour in element-web.
-        const accessToken = await getAccessToken(window);
-        // `accessToken` can be falsy, but if we're trying to download media without authentication
-        // then we should expect failure anyway.
-        const headers = { ...req.requestHeaders, Authorization: `Bearer ${accessToken}` };
-        return callback({ requestHeaders: headers });
+            // Is this request actually going to the homeserver?
+            // We don't combine this check with the one above on purpose.
+            // We're fetching the homeserver url through IPC and should do so
+            // as sparingly as possible.
+            const homeserver = await getHomeserverUrl(window);
+            const isRequestToHomeServer = homeserver && url.origin === new URL(homeserver).origin;
+            if (!isRequestToHomeServer) {
+                return callback({}); // invoke unmodified
+            }
+
+            // Only add authorization header to authenticated media URLs. This emulates the service worker
+            // behaviour in element-web.
+            const accessToken = await getAccessToken(window);
+            // `accessToken` can be falsy, but if we're trying to download media without authentication
+            // then we should expect failure anyway.
+            const headers = { ...req.requestHeaders, Authorization: `Bearer ${accessToken}` };
+            return callback({ requestHeaders: headers });
+        } catch (e) {
+            console.error(e);
+        }
     });
 }

src/preload.ts

@@ -28,6 +28,7 @@ const CHANNELS = [
     "userDownloadAction",
     "openDesktopCapturerSourcePicker",
     "userAccessToken",
+    "homeserverUrl",
     "serverSupportedVersions",
 ];