Skip to content

v1.7.8
Compare
Choose a tag to compare
@Alanaktion Alanaktion released this 20 Apr 23:09
· 102 commits to master since this release
v1.7.8
This tag was signed with the committer’s verified signature.
Alanaktion Alan Hardman
GPG key ID: 27A79A65774B4AF0
Learn about vigilant mode.
78e0090

This security release fixes an issue allowing users with file upload permissions to upload and execute malicious files. It introduces a new configuration option, security.file_blacklist, which is a regular expression used to filter uploaded files by name. It also restricts access to uploaded files at the web server level, where supported.

Users on nginx should add a new location block to their configuration:

location ~ ^/uploads/ {
    deny all;
}

Big thanks to @niebardzo for reporting this issue, with an example of the exploit on our demo environment, and for responsible disclosure.

See the Advisory

Assets 3