We’ve just released Shiny Server and Shiny Server Pro 1.4.6. Relative to 1.4.2, our previously blogged-about version, the 1.4.6 release primarily includes bug fixes, and mitigations for low-severity security issues found by penetration testing. The full list of changes is after the jump.
If you’re running a Shiny Server Pro release that is older than 1.4.3 and are configured to use SSL/TLS, it’s especially important that you upgrade, as the versions of Node.js that are bundled with Shiny Server Pro 1.4.3 and earlier include vulnerable versions of OpenSSL.
Shiny Server (Open Source): Download now
Bug fix release.
Security release to fix minor issues raised in penetration test results.
disable_login_autocomplete directive that can be used to instruct browsers not to attempt to autocomplete on the login screen. Note that servers can only suggest this behavior to browsers (and in particular, Google Chrome chooses not to comply, as its developers argue that disabling autocomplete decreases security rather than increasing it).
Add opt-in clickjacking protection via
frame_options directive. Login and /admin URLs now served with
X-Frame-Options: DENY (the former can be opted out with an
auth_frame_options allow; directive).
Fix open redirection on login. Previously, a URL created with malicious intent could cause you to go to an arbitrary URL after successful login. Now, it is only possible to be redirected to a path on Shiny Server.
Add Cross-Site Request Forgery (CSRF) protection to login and other POST operations.
Fix fatal EBADF error that could cause server crashes.
Updated PAM integration to resolve bug with asynchronous PAM modules like pam_ldap, pam_vas, and nss_ldap.
Upgrade to Node.js v0.10.46 (security patches).
Added proxied authentication mechanism via the
Upgrade to Node.js v0.10.45 (primarily for updated OpenSSL).
We are excited to announce real-time collaborative editing on RStudio Cloud. Users can join the same project, edit code, and immediately see each other’s changes.
The RStudio IDE includes a visual markdown editor that displays changes in real-time and provides support for technical writing. This post walks through several features of visual editing mode.