BookStack v0.25.4 Release Notes
Release Date: 2019-03-21 // about 5 years ago-
Security Release
🚀 This release patches a security vulnerability that allowed PHP files, using a non-
.php
extension, to be uploaded via image upload endpoints. The PHP files could then be called externally to perform malicious activity.🚀 This is a continuation upon the security updates enforced in v0.25.3. Please see that release for further information on this kind of vulnerability.
⚡️ This update applies a whitelist to file extensions for uploaded images to ensure php-like files, such as
.phtml
or.php3
, cannot exploit web servers that execute such files.