Skip to content

1.0.2

Choose a tag to compare

@rhukster rhukster released this 23 Jun 00:03
971f92b

Bugfix

  • [security] The token signing secret is now kept in a protected, non-committed file outside your site config instead of in plugins/api.yaml, so it can no longer be read from the config or leaked through templates, and existing logins keep working across the upgrade (getgrav/grav#4150).
  • [security] File uploads through the API now reject names that hide a disguised second extension such as shell.php.jpg, closing a path that could let an executable script be saved and run on the server (GHSA-66v2-vxxf-xc3v).
  • [security] SVG images uploaded through the API are now cleaned of any embedded scripts, so a malicious SVG can no longer run code in an admin's browser when viewed (GHSA-7vhm-8x52-2r5p).