Winter v1.0.469

Released on September 7, 2020
Review another release

v1.2 (Laravel 9)
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0

v1.1 (Laravel 6)
v1.1.10
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0

v1.0 (Laravel 5.5)
v1.0.475
v1.0.474
v1.0.473
v1.0.472
v1.0.471
v1.0.470
v1.0.469
v1.0.468
v1.0.467
v1.0.466
v1.0.465
v1.0.464
v1.0.463
v1.0.462
v1.0.461
v1.0.460
v1.0.459
v1.0.458
v1.0.457
v1.0.456
v1.0.455
v1.0.454
v1.0.453
v1.0.452
v1.0.451
v1.0.450
v1.0.449
v1.0.448
v1.0.447
v1.0.446
v1.0.445
v1.0.444
v1.0.443
v1.0.442
v1.0.441
v1.0.440
v1.0.439
v1.0.438
v1.0.437
View on GitHub CMS Changes Framework Changes

API Changes

  • .svg has been removed from the default list of allowed extensions for uploading for security reasons, will be re-added in Build 1.1.1 alongside sanitization to protect against XSS attacks. Use storage.media.defaultExtensions to override the default list of allowed extensions in order to re-add support for it at your own risk.
  • $fileName was removed as a parameter for the Winter\Storm\Halcyon\Builder->delete() method as it wasn't actually being used internally and had no effect.
  • Partials included via $this->renderPartial(), {% partial 'path/to/partial' %}, and {% include 'path/to/partial %} now properly block all extensions other than .htm by default.
  • Attempting to load & render partials from outside of the theme using the CMS Twig engine will no longer work (note, this was never officially supported, it was a bug that it ever worked in the first place). If you are trying to render Twig from outside the theme you should always use the System Twig engine instead of the CMS one by calling \Twig::parse($templateContents, $templateVars);)

Bug Fixes

  • Fixed issue where cookies that were generated at some point between pre-Laravel 5.5.* cookie security fix and the latest cookie security fixes in Build 1.0.468 could fail to be processed correctly.
  • Fixed an issue where some SystemExceptions include unfiltered user input in the response to the browser, which would cause security researchers to think that they've found a XSS vulnerability which would then take resources to explain how it wasn't exploitable by just stripping any potential XSS from SystemException messages.

Security Improvements

  • Fixed issue where the FileDatasource could be abused to load files outside of the intended location.
  • Fixed issue where the Twig sandbox could be escaped allowing users with access to Twig templates to define and run PHP code.

Community Improvements

  • Winter has moved to a slightly different versioning scheme, major changes such as Laravel framework upgrades will now be indicated by the "minor" version number, and the build / patch number will reset on every increment of the minor version number. Winter builds from initial conception to Laravel 5.5 EOL will be the v1.0.319 to v1.0.469 range, and the Laravel 6 upgrade will be v1.1.0. EOL branches will not be supported with bug fixes or feature additions, but will continue to have security issues IN winter CODE ONLY (i.e. security fixes for dependencies will not be included) fixed as they are reported to the core team through our Security Policy.

Keep informed

Sign up to our newsletter and receive updates on Winter releases, new features in the works, plugin and theme promotions and much more!