You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix potential SSRF and local file disclosure: option URLs are fetched server-side only when their scheme is allowed (http, https by default, configurable via the new $allowedSchemes constructor argument)
Fix potential arbitrary file deletion at shutdown: removeTemporaryFiles() now only deletes files located inside the temporary folder
Fix PHAR deserialization via the output filename (CVE-2023-28115 case-insensitive bypass): the output path is now validated against a scheme allow-list instead of a case-sensitive phar:// check
