2.1.0 (2024-04-10)
Security fix
- Fix a security vulnerability where a file processed through Timber image operations could possibly execute arbitrary code in certain circumstances (13c6b0f).
Details
The vulnerability could be exploited if your website processes user file inputs (like a form upload) or sideloaded images directly with one of the Timber image operations like Resize, Letterbox, Retina, ToJpg or ToWebp without prior checks whether the uploaded files are really images. We couldn’t replicate the vulnerability in a default WordPress installation, where a user uploads files through the media library. But there could be cases where your website might be vulnerable if a user can upload files in another way.
Important
This vulnerability only exists for websites running on PHP 7.4.
Features
- Add new
timber/cache/transient_keyfilter to cache methods for transient key used for caching (#2878) (b347677) - Add new
timber/image_helper/sideload_image/basenamefilter for sideloaded images basename (e4ff72f) - Add new
timber/output/pre-cachfilter to$outputbefore it is cached (#2910) (d1356fd) - Add
User::is_current()andUser::profile_link()methods (#2924) (b048da8) - Add WordPress escaping functions via Twig filters (#2933) (a88aa00)
- Allow pagination object to be generated using
$prefsonly (99219a9) and (2834fd4) - Bump php-stubs/acf-pro-stubs to ^6.0 (ac17052)
- Update ECS config and apply standards (#2893) (71111e1)
Bug Fixes
- Add classes in
MenuItem(#2905) (7e00eeb) - Allow overwrite of default avatar in comments. (#2786) (9c6e0e3), closes #2468
- Fix minor coding style issue in loader.php to make ECS happy (#2950) (6e8b6ab)
- Ignore
acf_get_field_typevoid errors (441ef9e) - Make
PostIterator::last_post()nullable (#2918) (064dde7) - Prevent unneeded blog switching in multisite env (#2781) (d81f995)
- Fix unnecessary lowercasing parameters in
Timber\URLHelper(#2877) (664ea62) - Fix some file permissions in docs (#2842) (337d54d)
- Tests: Split test running for integrations (plugins) (#2904) (8d03809)
- Tests: Fix tests failing since Twig 3.8.0 (#2895) (f4a233e)
- Tests: Fix missing constants in static analysis test (ae50ccd)
- Tests: Use new filter in tests (c12e9af)
- Tests: Fix phpstan tests by (#2886)
- Docs: Simplify an if-check in the ACF docs (96d2874)
Miscellaneous Chores
- Add script descriptions in Composer file (#2951) (5785128)
- Add Timber authors (567475e)
- Create SECURITY.md (#2939) (be36065)
- Remove Lando config (#2899) (6fa8ffc)
- Update links in CONTRIBUTING.md (3b2c855)
- deps: bump lycheeverse/lychee-action from 1.8.0 to 1.9.1 (1ca79af)
- deps: bump lycheeverse/lychee-action from 1.9.1 to 1.9.3 (#2907) (eecfb03)
- deps: bump peter-evans/create-issue-from-file from 4 to 5 (#2906) (64703f8)
- deps: bump ramsey/composer-install from 2 to 3 (#2941) (97010c4)
- deps: bump tj-actions/changed-files from 39 to 42 (964f11a)
New Contributors
- @expedition-robin-martijn made their first contribution in #2877
- @rubas made their first contribution in #2918
- @jl-a made their first contribution in #2910
- @phasdev made their first contribution in #2863
- @ecupaio made their first contribution in #2945
- @jasalt made their first contribution in #2962
- @Sonicrrrr reported a security vulnerability. Thanks!
- @dependabot made their first contribution in #2885
- @github-actions made their first contribution in #2913
Full Changelog: 2.0.0...v2.1.0
Contributors
rubas, jasalt, and 6 other contributors