Skip to content

7.0.0

Latest

Choose a tag to compare

@frasmage frasmage released this 13 Jul 02:45
5108415

What's Changed

This is a security release, upgrading is strongly recommended

  • Added mediable.allowed_remote_hosts configuration which allows restricting remote URL source adapters to a whitelist. Wildcard subdomains may be specified with *.example.com syntax. By default, all hosts are allowed.
  • If no mediable.allowed_remote_hosts allow list is provided, the RemoteUrlAdapter will reject private IP addresses and localhost by default, to prevent Server-Side Request Forgery (SSRF) attacks. [CVE-2026-49969]
  • Added mediable.allowed_remote_schemes configuration which allows restricting remote URL source adapters to a whitelist of allowed URL schemes (e.g. http, https, ftp, etc.). By default, only https is allowed. When modifying this configuration, it may also be necessary to modify the source_adapters pattern matching.
  • Directory validation will now strip . characters from path segments. This prevents attackers from using directory traversal patterns like ../ as well as preventing potential issues with certain filesystems where . characters in directory names may cause unexpected behaviour. [CVE-2026-49970]
  • Added mediable.file_sanitizers configuration which allows specifying custom sanitizers for rewriting file contents to strip out security risks before they are uploaded. A sanitizer must implements the Plank\Mediable\Sanitizers\SanitizerInterface interface.
  • Added SvgSanitizer which will strip executable javascript and other untrusted content from image/svg+xml files, which can result in stored XSS if rendered directly to a webpage. By default, this sanitizer is applied to all uploaded SVG files. It can be disabled by removing it from the mediable.sanitizers config array. [CVE-2026-49971]
  • Added mediable.forbidden_file_extensions configuration and MediaUploader::setForbiddenExtensions() which allows specifying a blacklist of file extensions that are forbidden to be uploaded. Any file extension which is considered executable by your Apache or Nginx configuration should be included in this list. A number of common executable file extensions are included in this list by default to prevent remote code execution exploits.
  • In addition, forbidden file extensions are now sanitized if they are nested within destination filenames (e.g. script.php.jpg becomes script-php.jpg). This prevents remote code execution from double extension bypass due to common Apache and Nginx misconfigurations
  • Added mediable.forbidden_mime_types configuration and MediaUploader::setForbiddenMimeTypes() which allows specifying a blacklist of MIME types that are forbidden to be uploaded.
  • MediaUploader::ON_DUPLICATE_* constants have been moved to an Plank\Mediable\Enum\OnDuplicateBehaviour enum.
  • Added MediaUploaderConfiguration class. Most MediaUploader instance properties are moved to this class. The MediaUploader class now accepts this as a constructor argument instead of an array of configs.
  • MediaUploader::beforeSave() now accepts a \Closure instead of a callable for better static analysis and type safety.

Full Changelog: 6.5.0...7.0.0