v9.1
Vulnerabilities fixes:
-
cors security fixed. now the only allowed source is the webui. (the user can set other sources if he wants but the default is to refuse any access from another webiste)
-
path traversal (all endpoints that receive data from the user are now sanitized to prevent path traversal problem)
-
code injection (sanitization has been added to endpoint to prevent code injection except the execute_code endpoint that is now automatically turned off if you expose lollms to the outside world)
-
All os.system that uses data from the user are now replaced with a more secure method
-
Users can deactivate code execution
-
Users can activate code validation which will make the backend ask you for confirmation whenever it receives a code execution command
-
Added the possibility to use https. Just put your certificates in certs subfolder of your personal folder
-
New configurations in settings folder.
-
New personas.
For macos users, please after installing, goto the settings and select your hardware configuration.
Have fun