Version 1.5.3.1: Fix Upload Security
Version 1.5.3.1 is a security upload that fixes a vulnerability with the file upload and the access of files. You should update to this latest version.
The version has the following changes:
- Improved the file upload class so that file cannot be uploaded without passing the check of extensions and mimetypes successfully. See details on GitHub: https://github.com/typemill/typemill/issues/325.
- Improved the htaccess so no access to certain file types is possible anymore.
- Fixed errors with shortcodes that do not use any attributes.
- added update for translations into NL.
- Improved cypress tests.
#Update your HTACCESS
Along with the usual update of the folder system
within your typemill installation, you should also update your htaccess file. Please look for the block "FILE/FOLDER PROTECTION" in your htaccess and update it with this rules:
# FILE/FOLDER PROTECTION
# Deny access to these file types generally
RewriteRule ^(.*)?\.yml$ - [F,L]
Rewriterule ^(.*)?\.yaml$ - [F,L]
RewriteRule ^(.*)?\.txt$ - [F,L]
RewriteRule ^(.*)?\.example$ - [F,L]
RewriteRule ^(.*)?\.git+ - [F,L]
RewriteRule ^(.*)?\.md - [F,L]
RewriteCond %{REQUEST_URI} !/index\.php
RewriteRule ^(.*)?\.ph - [F,L]
RewriteRule ^(.*)?\.twig - [F,L]
RewriteRule ^(media\/tmp\/) - [F,L]
# Block access to specific files in the root folder
RewriteRule ^(composer\.lock|composer\.json|\.htaccess)$ error [F,L]