Chevereto v3.20.12

Status
Not open for further replies.

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator

3.20.12

2021-09-23
  • Added extra checking for unwanted file extensions
  • Added hardened Apache HTTP Server rules [13774]
  • Added support for animated WebP [13775]
  • Added update override .htaccess
  • Fixed bug affecting embed codes [13742]
  • Fixed bug affecting Google services [13735]
  • Fixed bug with disabled posix-getpwuid [13728]
  • Fixed bug in conflicting psr/cache version
  • Fixed self-XSS in duplicated uploads [13713]
  • Removed URL upload functionality
  • Updated Czech translation
  • Updated dependencies
 

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
🚨 For this revision we added more checking on the uploaded files and we hardened .htaccess restrictions in the public upload paths and in the application directories. This will make your websites a lot safer.

Note: Due to the self-update procedure these changes won't be reflected in your installation (as the update system was just "updated"). Kindly manually update the following:
  • app/.htaccess
  • content/.htaccess
  • images/.htaccess
  • importing/.htaccess
  • lib/G/.htaccess
  • .htaccess
👉 You will be able to find these files in your download.
 

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
🌠 We added support for animated WebP images.

Note: This is only available when using ImageMagick as GD doesn't support it yet. Another good reason to switch to ImageMagick!
 

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
👮‍♀️ We removed the functionality that skipped .htaccess updates, we had to do it for security reasons as we need to push updates on these sensitive files. The system will overwrite any previous .htaccess application file you may have edited.

👉 You are entitled to modify these files after each update, and if you want to save the hassle we recommend you to edit these rules in your Virtual Host configuration.
 

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
🐞 For this revision we patched a lot of bugs (4).

👏 many thanks to all the users who took the time to report these and help us to deliver better software. We also fixed a self-XSS minor vulnerability.
 

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
🚫 We removed the remote URL upload functionality. We did this for security reasons until we find a safer way to provide this functionality.

👉 We encourage all users to don't re-enable this functionality. This is for your own safety.
 

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
Finally, we updated 🇨🇿Czech translation and all the dependencies.

🤗 Hope you enjoy this update!
 

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
🐞Remark on previous bugs

1. If you encounter this error when updating (HTTP, CLI):

Exception [403]: Can't update <FILE PATH> file - php:www-data>copy(<FILENAME>): failed to open stream: No such file or directory

^^^ Note that is caused due to a bug present in V3.20.10. You either manual update (download zip, upload) or open app/install/update/updater.php and change this:

PHP:
$itemFilename = $item->getFilename();

To this:

PHP:
$itemFilename = $item->getRealPath();

2. If you want to save yourself the hassle of manually upload the updated .htaccess files:

Open app/install/update/updater.php and change this:

PHP:
            if (!preg_match('/\.htaccess$/'

To this:

PHP:
            if (!preg_match('/\.htaccessnope$/'


If you still have issues with this don't hesitate to open a Ticket.
 
Status
Not open for further replies.
Top