Skip to content

2.0.4

Latest
Latest

Choose a tag to compare

View all tags
@rhukster rhukster released this 29 Jun 17:45
2.0.4
c22d77d
This commit was signed with the committer’s verified signature.
rhukster Andy Miller
GPG key ID: 9F2CF38AEBDB0AE0
Verified
Learn about vigilant mode.

New

  • Plugins can now register trusted iframe hosts so legitimate provider embeds (such as YouTube) are no longer blanked by the content XSS scan on hardened sites.
  • Added an onXssTrustedMarkup event that lets a plugin exempt its own rendered markup from the content XSS scan without weakening it for editor-authored content.

Bugfix

  • [security] Grav's .htaccess rules blocking sensitive folders and files are now matched case-insensitively, closing a bypass where, on case-insensitive filesystems (Windows, macOS, some Docker mounts), a differently-cased request could reach files such as account and config YAML; existing sites are healed on upgrade (GHSA-vwg3-w8w3-pc79).
  • [security] The user/data folder now ships a media-aware allowlist that serves uploaded assets such as images, fonts, CSS and JS while keeping data files like YAML and JSON blocked, and upgrading widens an over-narrow allowlist from earlier security updates in place so legitimate theme assets stop returning 403. Fixes #4169.
  • [security] The Twig regex_replace filter now returns its input unchanged instead of null when a pattern hits a PCRE error such as a backtrack-limit, so a catastrophic pattern can no longer break output (GHSA-37f3-6p89-6qr9).
  • bin/gpm self-upgrade no longer fails on shared-folder setups such as a VirtualBox shared folder, where the bin directory holding the running script could not be deleted, by overwriting the upgrade files in place instead. Fixes #4171.
  • Debug messages logged during API requests now reach the Admin2 API debug panel and Clockwork even when the debugger is set to PHP DebugBar. Fixes grav-plugin-admin2#76.
  • Resizing an image larger than its original size with ?resize= no longer pads it onto an oversized canvas with a white border, returning the image at its natural size instead unless ?forceresize is used. Fixes #4173.
  • Turning off the Twig sandbox no longer breaks pages or modules that contain a form, which previously failed with a "SandboxExtension extension is not enabled" error. Fixes #4175.
  • A blueprint validation error now names the value it rejected, so a message like "Invalid input in Process" explains what actually caused it. Relates to #4178.
  • Adding a blocked item to the Twig sandbox allowlist from the Tools report now clears that block from the recent-blocks list. Fixes grav-plugin-admin2#85.
Assets 5
Loading