Kirby 2.5.7 is a bug fix release with a few additional smaller enhancements.
This is also a security release. It fixes two issues that have been reported to us recently:
- A directory traversal issue that would allow attackers to read any file of your Kirby installation via the plugin assets feature or the field assets feature.
This issue affects all Kirby sites.
- A Cross-site Scripting (XSS) attack in the Panel that occurs when displaying specially prepared SVG images that have been uploaded as a content file.
This issue only affects you if not all of your Panel users can be trusted or if you use a file upload form in the front-end that allows visitors to upload SVG files.
It is strongly recommended to update to one of the fixed Kirby versions.
- Fixed directory traversal issue in the field assets route
- Fixed XSS issue with displaying SVGs in the file views
- Better styling for readonly Structure fields in the table style #1111 #1114
- Allow users with the panel.user.update permission to update users even if they are not admins #1097
- Support replacing a user avatar with one of a different file type #1103
- Fixed file upload issues in IE 11 #1042
- Added a
defaultoption for the User field #810
- The Radiobuttons and Checkboxes fields now also validate if there is no option available so that the page can be saved in this situation (making the field required is unaffected) #1073
- Don't warn about missing license on
.localhosttesting domains #1102
- Stop form events from being registered multiple times
- Fixed directory traversal issue in the plugin assets route
- Don't redirect to the homepage if an invalid URL is accessed in multilang sites with no language at the domain root #609
- $pages->findByURI($uri) no longer returns the parent page if a URI like
projects/projectsis given and that page itself doesn't exist #605
- Trim trailing slashes in multilang URL config to prevent double slashes #604
- Fixed infinite recursion in the folder::copy($to) method when copying a folder into itself #258
- Don't trim trailing slashes in URL paths when using the url::path($url = null) and url::build($parts = array(), $url = null) methods #259
- IDN URL methods: Upgraded to UTS #46 encoding variant to avoid the deprecation warnings in PHP 7.2 #608