v1.11.76

CHANGELOG.md

@@ -1,3 +1,38 @@
+Changes in [1.11.76](https://github.com/element-hq/element-desktop/releases/tag/v1.11.76) (2024-08-27)
+======================================================================================================
+## ✨ Features
+
+* Message Pinning: rework the message pinning list in the right panel ([#12825](https://github.com/matrix-org/matrix-react-sdk/pull/12825)). Contributed by @florianduros.
+* Tweak UIA postMessage check to work cross-origin ([#12878](https://github.com/matrix-org/matrix-react-sdk/pull/12878)). Contributed by @t3chguy.
+* Delayed events (Futures) / MSC4140 for call widget ([#12714](https://github.com/matrix-org/matrix-react-sdk/pull/12714)). Contributed by @AndrewFerr.
+* Stop the ongoing ring if another device joins the call session. ([#12866](https://github.com/matrix-org/matrix-react-sdk/pull/12866)). Contributed by @toger5.
+* Rich text Editor: Auto-replace plain text emoticons with emoji ([#12828](https://github.com/matrix-org/matrix-react-sdk/pull/12828)). Contributed by @langleyd.
+* Clean up editor drafts for unknown rooms  ([#12850](https://github.com/matrix-org/matrix-react-sdk/pull/12850)). Contributed by @langleyd.
+* Rename general user settings to account ([#12841](https://github.com/matrix-org/matrix-react-sdk/pull/12841)). Contributed by @dbkr.
+* Update settings tab icons ([#12867](https://github.com/matrix-org/matrix-react-sdk/pull/12867)). Contributed by @dbkr.
+* Disable jump to read receipt button instead of hiding when nothing to jump to ([#12863](https://github.com/matrix-org/matrix-react-sdk/pull/12863)). Contributed by @t3chguy.
+
+## 🐛 Bug Fixes
+
+* Ensure elements on Login page are disabled when in-flight ([#12895](https://github.com/matrix-org/matrix-react-sdk/pull/12895)). Contributed by @t3chguy.
+* Hide pinned messages when grouped in timeline when feature pinning is disabled ([#12888](https://github.com/matrix-org/matrix-react-sdk/pull/12888)). Contributed by @florianduros.
+* Add chat button on new room header for maximised widgets ([#12882](https://github.com/matrix-org/matrix-react-sdk/pull/12882)). Contributed by @t3chguy.
+* Show spinner whilst initial search request is in progress ([#12883](https://github.com/matrix-org/matrix-react-sdk/pull/12883)). Contributed by @t3chguy.
+* Fix user menu font ([#12879](https://github.com/matrix-org/matrix-react-sdk/pull/12879)). Contributed by @florianduros.
+* Allow selecting text in the right panel topic ([#12870](https://github.com/matrix-org/matrix-react-sdk/pull/12870)). Contributed by @t3chguy.
+* Add missing presence indicator to new room header ([#12865](https://github.com/matrix-org/matrix-react-sdk/pull/12865)). Contributed by @t3chguy.
+* Fix permissions in release tarballs ([#27904](https://github.com/element-hq/element-web/pull/27904)). Contributed by @t3chguy.
+
+## 🧰 Maintenance
+
+* Update dependencies for MSC4157 ([#27906](https://github.com/element-hq/element-web/pull/27906)). Contributed by @AndrewFerr.
+
+
+Changes in [1.11.75](https://github.com/element-hq/element-desktop/releases/tag/v1.11.75) (2024-08-20)
+======================================================================================================
+# Security
+- Fixes for [CVE-2024-42369](https://nvd.nist.gov/vuln/detail/CVE-2024-42369) / [GHSA-vhr5-g3pm-49fm](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm).
+
 Changes in [1.11.74](https://github.com/element-hq/element-desktop/releases/tag/v1.11.74) (2024-08-13)
 ======================================================================================================
 ## ✨ Features

package.json

@@ -2,7 +2,7 @@
     "name": "element-desktop",
     "productName": "Element",
     "main": "lib/electron-main.js",
-    "version": "1.11.74",
+    "version": "1.11.76",
     "description": "A feature-rich client for Matrix.org",
     "author": "Element",
     "homepage": "https://element.io",

src/electron-main.ts

@@ -19,7 +19,7 @@ limitations under the License.
 
 // Squirrel on windows starts the app with various flags as hooks to tell us when we've been installed/uninstalled etc.
 import "./squirrelhooks";
-import { app, BrowserWindow, Menu, autoUpdater, protocol, dialog, Input, Event, session, ipcMain } from "electron";
+import { app, BrowserWindow, Menu, autoUpdater, protocol, dialog, Input, Event, session } from "electron";
 import * as Sentry from "@sentry/electron/main";
 import AutoLaunch from "auto-launch";
 import path from "path";
@@ -42,6 +42,7 @@ import { _t, AppLocalization } from "./language-helper";
 import { setDisplayMediaCallback } from "./displayMediaCallback";
 import { setupMacosTitleBar } from "./macos-titlebar";
 import { loadJsonFile } from "./utils";
+import { setupMediaAuth } from "./media-auth";
 
 const argv = minimist(process.argv, {
     alias: { help: "h" },
@@ -550,50 +551,7 @@ app.on("ready", async () => {
         setDisplayMediaCallback(callback);
     });
 
-    session.defaultSession.webRequest.onBeforeRequest((req, callback) => {
-        // This handler emulates the element-web service worker, where URLs are rewritten late in the request
-        // for backwards compatibility. As authenticated media becomes more prevalent, this should be replaced
-        // by the app using authenticated URLs from the outset.
-        let url = req.url;
-        if (!url.includes("/_matrix/media/v3/download") && !url.includes("/_matrix/media/v3/thumbnail")) {
-            return callback({}); // not a URL we care about
-        }
-
-        // Check for feature support from the server. This requires asking the renderer process for supported
-        // versions.
-        ipcMain.once("serverSupportedVersions", (_, versionsResponse) => {
-            if (versionsResponse?.versions?.includes("v1.11")) {
-                url = url.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
-                return callback({ redirectURL: url });
-            } else {
-                return callback({}); // no support == no modification
-            }
-        });
-        global.mainWindow!.webContents.send("serverSupportedVersions"); // ping now that the listener exists
-
-        // we don't invoke callback() in this function - see the ipcMain.once above for callback usage.
-    });
-
-    session.defaultSession.webRequest.onBeforeSendHeaders((req, callback) => {
-        if (!req.url.includes("/_matrix/client/v1/media")) {
-            return callback({}); // invoke unmodified
-        }
-
-        // Only add authorization header to authenticated media URLs. This emulates the service worker
-        // behaviour in element-web.
-
-        // We need to get the access token from the renderer process to do that, though.
-        ipcMain.once("userAccessToken", (_, accessToken) => {
-            // `accessToken` can be falsy, but if we're trying to download media without authentication
-            // then we should expect failure anyway.
-            const headers = { ...req.requestHeaders };
-            headers["Authorization"] = `Bearer ${accessToken}`;
-            return callback({ requestHeaders: headers });
-        });
-        global.mainWindow!.webContents.send("userAccessToken");
-
-        // we don't invoke callback() in this function - see the ipcMain.once above for callback usage.
-    });
+    setupMediaAuth(global.mainWindow);
 });
 
 app.on("window-all-closed", () => {

src/media-auth.ts

@@ -0,0 +1,80 @@
+/*
+Copyright 2024 New Vector Ltd
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import { BrowserWindow, ipcMain, session } from "electron";
+
+/**
+ * Check for feature support from the server.
+ * This requires asking the renderer process for supported versions.
+ */
+async function getSupportedVersions(window: BrowserWindow): Promise<string[]> {
+    return new Promise((resolve) => {
+        ipcMain.once("serverSupportedVersions", (_, versionsResponse) => {
+            resolve(versionsResponse?.versions || []);
+        });
+        window.webContents.send("serverSupportedVersions"); // ping now that the listener exists
+    });
+}
+
+/**
+ * Get the access token for the user.
+ * This requires asking the renderer process for the access token.
+ */
+async function getAccessToken(window: BrowserWindow): Promise<string | undefined> {
+    return new Promise((resolve) => {
+        ipcMain.once("userAccessToken", (_, accessToken) => {
+            resolve(accessToken);
+        });
+        window.webContents.send("userAccessToken"); // ping now that the listener exists
+    });
+}
+
+export function setupMediaAuth(window: BrowserWindow): void {
+    session.defaultSession.webRequest.onBeforeRequest(async (req, callback) => {
+        // This handler emulates the element-web service worker, where URLs are rewritten late in the request
+        // for backwards compatibility. As authenticated media becomes more prevalent, this should be replaced
+        // by the app using authenticated URLs from the outset.
+        let url = req.url;
+        if (!url.includes("/_matrix/media/v3/download") && !url.includes("/_matrix/media/v3/thumbnail")) {
+            return callback({}); // not a URL we care about
+        }
+
+        const supportedVersions = await getSupportedVersions(window);
+        // We have to check that the access token is truthy otherwise we'd be intercepting pre-login media request too,
+        // e.g. those required for SSO button icons.
+        const accessToken = await getAccessToken(window);
+        if (supportedVersions.includes("v1.11") && accessToken) {
+            url = url.replace(/\/media\/v3\/(.*)\//, "/client/v1/media/$1/");
+            return callback({ redirectURL: url });
+        } else {
+            return callback({}); // no support == no modification
+        }
+    });
+
+    session.defaultSession.webRequest.onBeforeSendHeaders(async (req, callback) => {
+        if (!req.url.includes("/_matrix/client/v1/media")) {
+            return callback({}); // invoke unmodified
+        }
+
+        // Only add authorization header to authenticated media URLs. This emulates the service worker
+        // behaviour in element-web.
+        const accessToken = await getAccessToken(window);
+        // `accessToken` can be falsy, but if we're trying to download media without authentication
+        // then we should expect failure anyway.
+        const headers = { ...req.requestHeaders, Authorization: `Bearer ${accessToken}` };
+        return callback({ requestHeaders: headers });
+    });
+}