What's Changed
This is a security release, upgrading is strongly recommended
- Added
mediable.allowed_remote_hostsconfiguration which allows restricting remote URL source adapters to a whitelist. Wildcard subdomains may be specified with*.example.comsyntax. By default, all hosts are allowed. - If no
mediable.allowed_remote_hostsallow list is provided, theRemoteUrlAdapterwill reject private IP addresses and localhost by default, to prevent Server-Side Request Forgery (SSRF) attacks. [CVE-2026-49969] - Added
mediable.allowed_remote_schemesconfiguration which allows restricting remote URL source adapters to a whitelist of allowed URL schemes (e.g.http,https,ftp, etc.). By default, onlyhttpsis allowed. When modifying this configuration, it may also be necessary to modify thesource_adapterspattern matching. - Directory validation will now strip
.characters from path segments. This prevents attackers from using directory traversal patterns like../as well as preventing potential issues with certain filesystems where.characters in directory names may cause unexpected behaviour. [CVE-2026-49970] - Added
mediable.file_sanitizersconfiguration which allows specifying custom sanitizers for rewriting file contents to strip out security risks before they are uploaded. A sanitizer must implements thePlank\Mediable\Sanitizers\SanitizerInterfaceinterface. - Added
SvgSanitizerwhich will strip executable javascript and other untrusted content fromimage/svg+xmlfiles, which can result in stored XSS if rendered directly to a webpage. By default, this sanitizer is applied to all uploaded SVG files. It can be disabled by removing it from themediable.sanitizersconfig array. [CVE-2026-49971] - Added
mediable.forbidden_file_extensionsconfiguration andMediaUploader::setForbiddenExtensions()which allows specifying a blacklist of file extensions that are forbidden to be uploaded. Any file extension which is considered executable by your Apache or Nginx configuration should be included in this list. A number of common executable file extensions are included in this list by default to prevent remote code execution exploits. - In addition, forbidden file extensions are now sanitized if they are nested within destination filenames (e.g.
script.php.jpgbecomesscript-php.jpg). This prevents remote code execution from double extension bypass due to common Apache and Nginx misconfigurations - Added
mediable.forbidden_mime_typesconfiguration andMediaUploader::setForbiddenMimeTypes()which allows specifying a blacklist of MIME types that are forbidden to be uploaded. - MediaUploader::ON_DUPLICATE_* constants have been moved to an
Plank\Mediable\Enum\OnDuplicateBehaviourenum. - Added
MediaUploaderConfigurationclass. MostMediaUploaderinstance properties are moved to this class. TheMediaUploaderclass now accepts this as a constructor argument instead of an array of configs. MediaUploader::beforeSave()now accepts a\Closureinstead of acallablefor better static analysis and type safety.
Full Changelog: 6.5.0...7.0.0