Skip to content

Version 1.25.4

Choose a tag to compare

View all tags
@umputun umputun released this 21 May 00:33
v1.25.4
b19c8d7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security: fixes stored XSS in avatar.Proxy by rejecting non-image avatar content before storage and before serving. Also adds CSP/nosniff headers, WebP-safe validation, ETag parsing fixes, and decompression-bomb checks. Credit to @paskal.

Changes since v1.25.3

  • #290 prevent stored XSS via avatar content-type spoofing

Full Changelog: v1.25.3...v1.25.4

Contributors

paskal
Assets 2
Loading