1.24.2
Security release for Backdrop CMS. This release fixes 1 security vulnerability:
This release also includes a handful of bug fixes and other improvements.
Notes for updating
- This release does modify the
settings.phpfile located outside thecoredirectory. Updating your customized copy of this file is recommended, but not necessary. To update, copy the new section onfile_not_normalized_schemesfrom the latest file to your site'ssettings.phpfile. - It will be necessary to run the update script (located at
/core/update.php) for this release.
Changes to site-owner-managed files
Following this release, Backdrop will block access to private files at certain specially crafted paths. Previous versions of Backdrop allowed access to these paths, and in most cases blocking access is the correct behavior.
There may be some sites that rely on allowing access to these paths. It is also possible that the changes in this release may cause other problems with file access. Sites that experience problems with private files after this change should add the following line to settings.php:
$config['system.core']['file_not_normalized_schemes'] = array('private');`
This will preserve the old behavior for files saved in the private files directory, using the private stream wrapper from Backdrop core. Sites that need to preserve the old behavior for files using other stream wrappers, from contributed or custom modules, should list those stream wrappers instead of 'private'.
The comments in the default settings.php file have additional information.
Using this setting will bypass the access checks added in this release, which may allow public access to files that are meant to be private. This setting is a temporary backward-compatibility layer for misconfigured sites. It will be removed in a future release since it is insecure.
Changes since version 1.24.1 are listed below.
Bug Fixes
- Fixed: Adjust autocomplete dropdown positioning on iPad and iPhone #6050
- Fixed: "More" link on permissions page should toggle description. #6053
- Fixed: Sanitize text format names in hint below editor #6065
- Fixed: Message type not set properly for deprecated system message #6041
- Fixed: EntityReference invokes deprecated Drupal function instead of Backdrop alternative. #6036
Documentation updates
- Docblocks updated with Proper
@returnstatements. #6042 - Document
$require_settingsforfind_conf_path(). #6002
User experience improvements
- Display container style on rows in flexible layout template builder. #5523