Skip to content

2.3.6

Compare
Choose a tag to compare
@leonjza leonjza released this 20 May 07:37
· 276 commits to master since this release
0685be6

This is primarily a security/hardening release.

fixes

  • Limit the allowed URI's that may be submitted to the screenshot or report server to only those starting with http / https by default. You can use the new --allow-insecure-uri / -A flag to disable this. Take note that with the -A flag, it means someone could screenshot file:// URI's and read local files on the host filesystem. To combat some of this abuse, by default the report & screenshot servers listen on localhost only. However, if you are exposing the report or screenshot servers to the Internet (or other untrusted networks), make sure you restrict access to it as other problematic URI's such as localhost and cloud metadata URIs (and any other SSRF vector) will also be reachable this way. (57dffb7) (thanks to Omri Inbar from Checkmarx for reporting the LFI).

other

  • go-staticcheck fixes and other code cleanups (1149417)
8a2ca3dc8a58ce3e103aeabd13df7713c0322b2c  gowitness-2.3.6-darwin-amd64
b50938b99af45d7bc209428a648f057b11a6025f  gowitness-2.3.6-linux-amd64
1dcee72acdf074f1850263643ca9297b0d5b38e3  gowitness-2.3.6-windows-amd64.exe