Phproject v1.7.9 Release Notes
Release Date: 2020-04-21 // over 4 years ago-
๐ This release fixes an upgrade issue introduced in v1.7.8, and improves PHP 7.4 compatibility.
Thanks to @charisma2 for reporting the compatibility issue!
Previous changes from v1.7.8
-
๐ This security release fixes an issue allowing users with file upload permissions to upload and execute malicious files. It introduces a new configuration option,
security.file_blacklist
, which is a regular expression used to filter uploaded files by name. It also restricts access to uploaded files at the web server level, where supported.๐ง Users on nginx should add a new location block to their configuration:
location ~ ^/uploads/ { deny all; }
Big thanks to @niebardzo for reporting this issue, with an example of the exploit on our demo environment, and for responsible disclosure.
๐ See the Advisory