@garvinhicking garvinhicking released this Aug 16, 2018 · 10 commits to 2.1 since this release

Assets 3

This release addresses several security issues that have been reported to us by Hanno Boeck, Brian Carpenter, oreamnos and Julio Cesar. Many thanks for this!

More specifcally:

  • Ensure URL parameter casting for RSS and blog entry limits to prevent possible SQL injection inside the LIMIT statement part
  • Prevent XSS in the "Edit entries" panel
  • Prevent sending comment notifications to more than one email address
  • Disable exit.php-Tracking for open URL redirection, unless the trackexits plugin is specifically configured to do so

The release also addresses a new feature for a "legal" plugin property bag attribute (usable for GDPR/DSGVO plugin information) and by default disables subToMe service to prevent GDPR issues.

(MD5: 4e0fe2a842077293f0edd8cbe3e5e8d8)