• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.

Chevereto v3.20.12

Status
Not open for further replies.

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator

3.20.12

2021-09-23
  • Added extra checking for unwanted file extensions
  • Added hardened Apache HTTP Server rules [13774]
  • Added support for animated WebP [13775]
  • Added update override .htaccess
  • Fixed bug affecting embed codes [13742]
  • Fixed bug affecting Google services [13735]
  • Fixed bug with disabled posix-getpwuid [13728]
  • Fixed bug in conflicting psr/cache version
  • Fixed self-XSS in duplicated uploads [13713]
  • Removed URL upload functionality
  • Updated Czech translation
  • Updated dependencies
 
🚨 For this revision we added more checking on the uploaded files and we hardened .htaccess restrictions in the public upload paths and in the application directories. This will make your websites a lot safer.

Note: Due to the self-update procedure these changes won't be reflected in your installation (as the update system was just "updated"). Kindly manually update the following:
  • app/.htaccess
  • content/.htaccess
  • images/.htaccess
  • importing/.htaccess
  • lib/G/.htaccess
  • .htaccess
👉 You will be able to find these files in your download.
 
🌠 We added support for animated WebP images.

Note: This is only available when using ImageMagick as GD doesn't support it yet. Another good reason to switch to ImageMagick!
 
👮‍♀️ We removed the functionality that skipped .htaccess updates, we had to do it for security reasons as we need to push updates on these sensitive files. The system will overwrite any previous .htaccess application file you may have edited.

👉 You are entitled to modify these files after each update, and if you want to save the hassle we recommend you to edit these rules in your Virtual Host configuration.
 
🐞 For this revision we patched a lot of bugs (4).

👏 many thanks to all the users who took the time to report these and help us to deliver better software. We also fixed a self-XSS minor vulnerability.
 
🚫 We removed the remote URL upload functionality. We did this for security reasons until we find a safer way to provide this functionality.

👉 We encourage all users to don't re-enable this functionality. This is for your own safety.
 
Finally, we updated 🇨🇿Czech translation and all the dependencies.

🤗 Hope you enjoy this update!
 
🐞Remark on previous bugs

1. If you encounter this error when updating (HTTP, CLI):

Exception [403]: Can't update <FILE PATH> file - php:www-data>copy(<FILENAME>): failed to open stream: No such file or directory

^^^ Note that is caused due to a bug present in V3.20.10. You either manual update (download zip, upload) or open app/install/update/updater.php and change this:

PHP:
$itemFilename = $item->getFilename();

To this:

PHP:
$itemFilename = $item->getRealPath();

2. If you want to save yourself the hassle of manually upload the updated .htaccess files:

Open app/install/update/updater.php and change this:

PHP:
            if (!preg_match('/\.htaccess$/'

To this:

PHP:
            if (!preg_match('/\.htaccessnope$/'


If you still have issues with this don't hesitate to open a Ticket.
 
Status
Not open for further replies.
Back
Top