Skip to content

BookStack Beta v0.25.4

Choose a tag to compare

View all tags
@ssddanbrown ssddanbrown released this 21 Mar 19:52
v0.25.4
This tag was signed with the committer’s verified signature.
ssddanbrown Dan Brown
GPG key ID: 46D9F943C24A2EF9
Verified
Learn about vigilant mode.
c3e7421
This commit was signed with the committer’s verified signature.
ssddanbrown Dan Brown
GPG key ID: 46D9F943C24A2EF9
Verified
Learn about vigilant mode.

Security Release

This release patches a security vulnerability that allowed PHP files, using a non-.php extension, to be uploaded via image upload endpoints. The PHP files could then be called externally to perform malicious activity.

This is a continuation upon the security updates enforced in v0.25.3. Please see that release for further information on this kind of vulnerability.

This update applies a whitelist to file extensions for uploaded images to ensure php-like files, such as .phtml or .php3, cannot exploit web servers that execute such files.

Assets 2
Loading