v1.0.469 Released on September 7, 2020

View on GitHub

API Changes

  • .svg has been removed from the default list of allowed extensions for uploading for security reasons, will be re-added in Build 1.1.1 alongside sanitization to protect against XSS attacks. Use storage.media.defaultExtensions to override the default list of allowed extensions in order to re-add support for it at your own risk.
  • $fileName was removed as a parameter for the Winter\Storm\Halcyon\Builder->delete() method as it wasn't actually being used internally and had no effect.
  • Partials included via $this->renderPartial(), {% partial 'path/to/partial' %}, and {% include 'path/to/partial %} now properly block all extensions other than .htm by default.
  • Attempting to load & render partials from outside of the theme using the CMS Twig engine will no longer work (note, this was never officially supported, it was a bug that it ever worked in the first place). If you are trying to render Twig from outside the theme you should always use the System Twig engine instead of the CMS one by calling \Twig::parse($templateContents, $templateVars);)

Bug Fixes

  • Fixed issue where cookies that were generated at some point between pre-Laravel 5.5.* cookie security fix and the latest cookie security fixes in Build 1.0.468 could fail to be processed correctly.
  • Fixed an issue where some SystemExceptions include unfiltered user input in the response to the browser, which would cause security researchers to think that they've found a XSS vulnerability which would then take resources to explain how it wasn't exploitable by just stripping any potential XSS from SystemException messages.

Security Improvements

  • Fixed issue where the FileDatasource could be abused to load files outside of the intended location.
  • Fixed issue where the Twig sandbox could be escaped allowing users with access to Twig templates to define and run PHP code.

Community Improvements

  • Winter has moved to a slightly different versioning scheme, major changes such as Laravel framework upgrades will now be indicated by the "minor" version number, and the build / patch number will reset on every increment of the minor version number. Winter builds from initial conception to Laravel 5.5 EOL will be the v1.0.319 to v1.0.469 range, and the Laravel 6 upgrade will be v1.1.0. EOL branches will not be supported with bug fixes or feature additions, but will continue to have security issues IN winter CODE ONLY (i.e. security fixes for dependencies will not be included) fixed as they are reported to the core team through our Security Policy.

Keep informed

Sign up to our newsletter to receive updates on Winter CMS releases, new features in the works, and much more.
We'll never spam or give this address away.

Latest blog post

October CMS as you know it is Dead

Published April 12, 2021
We regret to inform you that October CMS as you have known it for the past 7 years is no more. The founders have decided to make it a paid proprietary product; unfortunately abandoning the open source community in the process as "source partially available" is not open source. The core maintainers of the project have forked, and will continue development as Winter CMS....

View this post Read all posts

Latest Winter CMS release

v1.1.3

Released April 26, 2021
3 UX/UI Improvements, 19 API Changes, 23 Bug Fixes, 3 Security Improvements, 4 Translation Improvements, 1 Community Improvement, 2 Dependencies

View details View all releases