4.10.17

4.10.17 (2022-10-15)

Bug Fixes

• server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests (GHSA-h423-w6qv-2wj3) (#8236) (3d7a61e)

5.2.8

5.2.8 (2022-10-14)

Bug Fixes

• server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests (GHSA-h423-w6qv-2wj3) (#8235) (066f296)

5.3.0-alpha.28

5.3.0-alpha.28 (2022-10-11)

Features

• liveQuery support for unsorted distance queries (#8221) (0f763da)

5.3.0-alpha.27

5.3.0-alpha.27 (2022-09-29)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) [skip release] (#8187) (8c8ec71)
• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) [skip release] (#8180) (37fed30)

Features

• add option to change the default value of the Parse.Query.limit() constraint (#8152) (0388956)

5.2.7

5.2.7 (2022-09-20)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#8185) (ecf0814)

5.2.6

5.2.6 (2022-09-20)

Bug Fixes

• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) (#8182) (6d0b2f5)

4.10.16

4.10.16 (2022-09-20)

Bug Fixes

• authentication adapter app ID validation may be circumvented; this fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#8186) (b3e7939)

4.10.15

4.10.15 (2022-09-20)

Bug Fixes

• session object properties can be updated by foreign user; this fixes a security vulnerability in which a foreign user can write to the session object of another user if the session object ID is known; the fix prevents writing to foreign session objects (GHSA-6w4q-23cf-j9jp) (#8183) (7ca9ed0)

5.3.0-alpha.26

5.3.0-alpha.26 (2022-09-17)

Bug Fixes

• sorting by non-existing value throws INVALID_SERVER_ERROR on Postgres (#8157) (3b775a1)

5.3.0-alpha.25

5.3.0-alpha.25 (2022-09-17)

Bug Fixes

• updating object includes unchanged keys in client response for certain key types (#8159) (37af1d7)