Version 1.5.3.1: Fix Upload Security

Version 1.5.3.1 is a security upload that fixes a vulnerability with the file upload and the access of files. You should update to this latest version.

The version has the following changes:

  • Improved the file upload class so that file cannot be uploaded without passing the check of extensions and mimetypes successfully. See details on GitHub: https://github.com/typemill/typemill/issues/325.
  • Improved the htaccess so no access to certain file types is possible anymore.
  • Fixed errors with shortcodes that do not use any attributes.
  • added update for translations into NL.
  • Improved cypress tests.

Update your HTACCESS

Along with the usual update of the folder system within your typemill installation, you should also update your htaccess file. Please look for the block "FILE/FOLDER PROTECTION" in your htaccess and update it with this rules:

# FILE/FOLDER PROTECTION

# Deny access to these file types generally
RewriteRule ^(.*)?\.yml$ - [F,L]
Rewriterule ^(.*)?\.yaml$ - [F,L]
RewriteRule ^(.*)?\.txt$ - [F,L]
RewriteRule ^(.*)?\.example$ - [F,L]
RewriteRule ^(.*)?\.git+ - [F,L]
RewriteRule ^(.*)?\.md - [F,L]
RewriteCond %{REQUEST_URI} !/index\.php
RewriteRule ^(.*)?\.ph - [F,L]
RewriteRule ^(.*)?\.twig - [F,L]
RewriteRule ^(media\/tmp\/) - [F,L]

# Block access to specific files in the root folder
RewriteRule ^(composer\.lock|composer\.json|\.htaccess)$ error [F,L]

Typemill is an open source software and a registered trademark. Read more