ยซ Changelog History


Phproject v1.7.8 Release Notes

Release Date: 2020-04-20 // almost 4 years ago

  • ๐Ÿš€ This security release fixes an issue allowing users with file upload permissions to upload and execute malicious files. It introduces a new configuration option, security.file_blacklist, which is a regular expression used to filter uploaded files by name. It also restricts access to uploaded files at the web server level, where supported.

    ๐Ÿ”ง Users on nginx should add a new location block to their configuration:

    location ~ ^/uploads/ { deny all; }

    Big thanks to @niebardzo for reporting this issue, with an example of the exploit on our demo environment, and for responsible disclosure.

    ๐Ÿ”’ See the Advisory