Version 1.5.3.1: Fix Upload Security

Sebastian Schürmanns

Version 1.5.3.1 is a security upload that fixes a vulnerability with the file upload and the access of files. You should update to this latest version.

The version has the following changes:

  • Improved the file upload class so that file cannot be uploaded without passing the check of extensions and mimetypes successfully. See details on GitHub: https://github.com/typemill/typemill/issues/325.
  • Improved the htaccess so no access to certain file types is possible anymore.
  • Fixed errors with shortcodes that do not use any attributes.
  • added update for translations into NL.
  • Improved cypress tests.

#Update your HTACCESS

Along with the usual update of the folder system within your typemill installation, you should also update your htaccess file. Please look for the block "FILE/FOLDER PROTECTION" in your htaccess and update it with this rules:

# FILE/FOLDER PROTECTION

# Deny access to these file types generally
RewriteRule ^(.*)?\.yml$ - [F,L]
Rewriterule ^(.*)?\.yaml$ - [F,L]
RewriteRule ^(.*)?\.txt$ - [F,L]
RewriteRule ^(.*)?\.example$ - [F,L]
RewriteRule ^(.*)?\.git+ - [F,L]
RewriteRule ^(.*)?\.md - [F,L]
RewriteCond %{REQUEST_URI} !/index\.php
RewriteRule ^(.*)?\.ph - [F,L]
RewriteRule ^(.*)?\.twig - [F,L]
RewriteRule ^(media\/tmp\/) - [F,L]

# Block access to specific files in the root folder
RewriteRule ^(composer\.lock|composer\.json|\.htaccess)$ error [F,L]

Typemill is an open source software and a registered trademark. Read more