@paragonie-scott paragonie-scott released this May 5, 2017 · 197 commits to master since this release

Assets 4
  • Fixed a self-induced XSS via the user's display name, reported on HackerOne.

@paragonie-scott paragonie-scott released this Nov 13, 2016 · 197 commits to master since this release

Assets 4
  • Update version constants to prevent endless update loops.

@paragonie-scott paragonie-scott released this Nov 13, 2016 · 197 commits to master since this release

Assets 4
  • #161:
    Don't hard-code HTTP/1.1 in response headers.
  • #164:
    Fixed dead code in Skyport landing.
  • HackerOne #181210:
    Correctly detect .onion URLs. If this malfunctions, there is a
    nonzero risk of MITM attack (because HTTPS wasn't enforced on
    .onion URLs).
  • HackerOne #181225:
    Prevent phishing attacks via pages opened with target="_blank".
  • HackerOne #181315:
    Consistently use binary-safe string functions.

@paragonie-scott paragonie-scott released this Nov 3, 2016 · 197 commits to master since this release

Assets 4
  • Cryptographically associate account recovery tokens with the row ID
    of the user who requested the reset. This means that updating the
    userid column of an existing recovery token will not allow you to
    login as the arbitrary user.
  • #52,
    Allow users, groups, blog post categories, author profiles,
    and series to be deleted.
  • #72:
    You can now configure how emails are sent out. All of the options
    currently provided by Zend\Mail.
  • #128:
    All CMS Airship cookies send a Same-Site header (strictly). This
    adds another layer of resilience against CSRF attacks.
  • #147:
    Implemented a framework for importing data (i.e. password hashes)
    into a CMS Airship project. This will allow users to log in with
    their old password, when Airship only knows the old password hash.
  • #138,
    In addition to being able to change the name of a blog category or
    author, you can also update the slug (and optionally create a
    redirect from the old slug to the new one).
  • #148:
    You can now override the footer text.
  • #149:
    Implemented a View History feature for Blog Posts.
  • #155:
    You can now create user accounts from the Bridge.

@paragonie-scott paragonie-scott released this Oct 31, 2016 · 290 commits to master since this release

Assets 4

@paragonie-scott paragonie-scott released this Sep 12, 2016 · 290 commits to master since this release

Assets 4
  • #134:
    Fixed a few bugs that caused the installer to fail in weird ways
    during a fresh install (i.e. for Docker users).
  • #136:
    If you don't specify a subheader in the blog config, nothing will be
  • #139:
    If an author's biography is empty, the "About the Author" section
    will not be displayed. In a future version, we may change this
    behavior to be dependent on the status of a checkbox rather than the
    non-emptiness of the biography field.
  • #142:
    Hide "Uncategorized" from the right menu if there are no blog posts
    without a category.
  • #143:
    Fixed issues with date/time handling that broke post editing.
  • #144:
    Fixed the regular expression in the required attribute that caused
    browsers to prevent form submission.
  • #145:
    The "default format" is now respected by the forms that support
    different input formats.
  • #146:
    Created a button to purge the caches.
  • Hid the link to view blog post history, as that feature was
    overlooked. We'll implement it in version 1.4.0.
  • Some image types can be viewed directly instead of always forcing a
    download. The enforcement logic is a whitelist (that gadgets can

Also, this runs an autorun script that was overlooked in preparing the v1.3.0 update. If you had broken symlinks for the new Motifs, this will fix it automatically.

@paragonie-scott paragonie-scott released this Aug 29, 2016 · 317 commits to master since this release

Assets 4
  • Significant UI/UX improvements.
    • Redesigned the Bridge UI to be more suitable for a control panel.
    • The left menu in the Bridge is now collapsable, but automatically
      opens the sections which indicate your current location in the
  • Update Halite to 2.2.0.
  • Added a WhiteList filter, which is a strict typed alternative to
    switch-case whitelisting.
  • #129:
    Extension developers can now make their motifs configurable by
    end users.
  • #114:
    We no longer display the database password on the databases page.
    This has always only been accessible to administrators, but now it
    is write-only from the web interface.
  • #131:
    If an exception is thrown by the part of code that loads the logger,
    and the database driver was selected, it will no longer silently
    produce a white screen.
  • #132:
    You can now control the date/time a blog post is published.
  • #133:
    Added the "slug" field to the "Create New Blog Post" form.

@paragonie-scott paragonie-scott released this Jul 26, 2016 · 371 commits to master since this release

Assets 2
  • In addition to expiring after a set period of time, account recovery
    URLs can only be used once. This fixes this feature by making it in
    line with the expected behavior.
  • Bootstrap (JS/CSS framework) was removed, as we don't use it.
  • Dependency update (e.g. HTMLPurifier 4.8.0).

@paragonie-scott paragonie-scott released this Jul 19, 2016 · 387 commits to master since this release

Assets 4
  • Added logic to the Airship updater to attempt to run composer install
    (if we can) if an update includes a composer.lock file.

@paragonie-scott paragonie-scott released this Jul 18, 2016 · 390 commits to master since this release

Assets 4