Serendipity 2.0.4 and 2.1-beta2 released

@garvinhicking garvinhicking released this Sep 26, 2016 · 690 commits to master since this release

Serendipity 2.0.4 is a maintenance security release which addresses these issues:

* [Security] Prevent moving files by using their directory name.
  [Security] Possible SQL injection for entry category assignment
  [Security] Possible SQL injection for removing&adding a plugin

  All issues require a valid backend login.
  Thanks to Hendrik Buchwald for finding this via their
  RIPS source code analyzer (www.ripstech.com)

* [Security] Add new configuration option to enable fetching 
  local files for the media uploader. By default this is now
  disabled to prevent Server Side Request Forgery (SSRF).
  Thanks to Xu Yue for pointing this out!

Alongside a new Serendipity 2.1-beta2 version has been released, with the same fixes plus some more progress on the road to the 2.1 release. Features like these have been added:

* New API wrapper for URL downloads that plugins can use (serendipity_request_url)
* Added new Theme "Skeleton" (responsive, mobile first)
* Improved preview iframe handling
* Changes (simplifications) in template file routing for backend/frontend views, new smarty {getFile} function for theme authors

Simply upgrade by unpacking and uploading the release file and confirming our web-based upgrader.

(MD5: edf8bf832bd1835fb4f769b682d37514)

Downloads