Releases: getkirby/kirby
3.8.4.4
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
3.7.5.5
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
Important note: This release marks the end of security support for Kirby 3.7. This version of Kirby has now reached its end of life and will no longer receive any updates whatsoever, including security updates. Please update to a more recent Kirby release to stay secure.
➡️ Read more
3.6.6.6
🚨 Security
Insufficient permission checks in the language settings
Severity: high (CVSS score 8.1)
Kirby's frontend and backend code did not enforce the existing languages.create
and languages.delete
permissions.
The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage.
This vulnerability affects all Kirby sites with enabled languages
option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the languages
and/or api
option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is not affected.
Thanks to Sebastian Eberlein of JUNO (@SebastianEberlein-JUNO) for reporting the identified issue.
Important note: This release marks the end of security support for Kirby 3.6. This version of Kirby has now reached its end of life and will no longer receive any updates whatsoever, including security updates. Please update to a more recent Kirby release to stay secure.
➡️ Read more
5.0.0-alpha.2
Pre-release notes: https://getkirby.com/buzz/v5-alpha
3.10.1
5.0.0-alpha.1
Pre-release notes: https://getkirby.com/buzz/v5-alpha
4.3.0
🎉 Features
- System view: added button to copy relevant system information #6416
<k-button>
:theme
supports values suffixed with-icon
now, e.g.positive-icon
for filled buttons with only the icon colored
<k-button icon="heart" theme="negative-icon" variant="filled">Love</k-button>
✨ Enhancements
- Remove hard-coded restriction of supported servers #6415
- Plugin registration with named arguments #6337 Allow passing plugin info, e.g. version, as argument that gets merged with the info from composer.json
Kirby::plugin(
name: 'my/plugin',
extends: [],
info: [
'homepage' => 'https://my-plugin.example.com'
],
version: '1.0.0'
);
- The update check in the Panel system view now offers free major updates if included in the activated license #5974
- New icons:
text-top
,text-middle
,text-bottom
https://feedback.getkirby.com/592 #6374
(video: )
KirbyTag: support fordisablepictureinpicture
attribute #6413- Editor: new
insertNode
util #6383 - CSS
data-theme
with color names #6407 - New
download
prop fork-link
(and respectivek-button
when passing a link) to set thedownload
attribute #6417 - Page section: Show Add button also in sections only showing listed/unlisted pages when all allowed blueprints create new child pages directly as listed/unlisted https://feedback.getkirby.com/181
- Dropdown options can emit global Panel events on click now, which can be used e.g. when extending setting dropdowns in a plugin to react in JS with an action when option is clicked https://feedback.getkirby.com/638 #6411
- Panel notifications support
theme
prop #6423 - New
window.panel.notification.info(message)
. #6423 - Upload dialog: better preview icons and separate components for upload items and a single upload item #6424
QrCode
class: methods accept new$border
argument #6445 (thanks @rasteiner)- Added lab examples for
k-login
andk-login-code
. #6365 - Updated PR template #6464
🐛 Bug fixes
- Editor:
nodeInputRule
only overwrites matched selection #6385 - Writer: inline nodes are included when
inline: true
mode is active #6386 - File
create
format
option is not applied to non-images anymore #6359 - Non existing media files no longer throw error 500: the thumbnail configuration could not be found #6453
- Fix deprecation warning in router #5895
- Panel search fixed when UUIDs are disabled (thanks to @toebu) #6395
- Fixes
Title
andLink text
translations for the different usages: #6402- Writer field email dialog has
Title
field - Textarea field email dialog has
Link text
field
- Writer field email dialog has
- File upload: fix sort number #6380
- Fix tab badges #6427
- CalendarInput: fix when no value #6422
- DateInput: fix clearing #6392
- Upload dialog: allows
@
,.
and_
in filenames to be consistent with other filename rules #6462 $file->changeName()
now sanitizes new filenames with.
included correctly #6462- Fix line break when label in block preview fields is too long (thanks @tobimori) #6452
☠️ Deprecated
- Plugin registration: Passing
info
orroot
in plugin extends array. Instead pass these as standalone named arguments. <k-login>
is deprecated. Use<k-login-form>
instead.<k-login-code>
is deprecated. Use<k-login-code-form>
instead.
♻️ Refactored
- Reusing link and button props in higher-up components #6417
- Introduce new
App::currentLanguage()
method #6434 - Refactor
App::language()
to introduce newcurrent
option which creates a more predicatable way to
fetch languages in content, translation and future version methods. #6434 - Clean up of components code for
k-login
andk-login-code
. #6365 - Moved all login-related Vue components into same location #6463
- Aligned some of the component names #6463
🧹 Housekeeping
4.2.0
🎉 Features
- New
api
option for Sections to define API endpoints just like for fields #6246
✨ Enhancements
<?php
return [
'thumbs' => [
'driver' => 'im',
'threads' => 2
]
];
- Video block now also supports local videos by default #6113
- Significantly improved file sorting performance (thanks @rasteiner) #6112
- The login form can now be prefilled for testing use cases with the new
value
prop of thek-login-view
component #6364 - Lab:
$helpers
docs #6257 #6287 - Improved Panel favicons for dark mode, including
media
attribute support for custom Panel favicons #5657 - Updated icons:
expand
,collapse
,divider
andchart
- Support non string scalar values in where clause builder for 2 arguments (thanks @SeriousKen) #6291
- Add native validity to
range
input #6253 - Added native validity to
calendar
,date
,time
,timoptions
inputs #6254 - Enhanced options for database table creation: #6303
- Adds
unsigned
option for integers. Defaults totrue
to maintain backwards compatibility. - Adds
size
option for varchars. Defaults to 255 to maintain backwards compatibility. - Adds
float
type to create a floating point columns. - Adds
decimal
type to create decimal columns withprecision
anddecimal_places
options. The new features are aimed at MySQL and are ignored in SQLite as they are not supported. Float and decimal both map toREAL
columns in SQLite.
- Adds
- Improve
k-user-avatar
#6325 - Translatable panel menu titles #6311
- Allow unknown file extensions to be selected in file open dialog (thanks to @rasteiner) #6263
- Added pagination to the file browser in the link field #6288
- Date and time field interpret a few more input formats correctly #6362
- Table layout: allow modifying default columns #6335
🐛 Bug fixes
A::prepend()
now behaves the same asA::append()
(just opposite side) for non-associative arrays #6219- Translatable range tooltip #6221
- Disabled inputs don't show placeholders anymore #6163
- Choice inputs have similar disabled styling as other fields
alpha
andhue
inputs: setting custommin
andmax
props would break the inputs. Those props aren't falsely exposed anymore. #6251colorname
input: props that were falsely exposed are now correctly unset #6255search
input: props that were falsely exposed are now correctly unset #6256- Fixed fallback
null
value forText\KirbyTag::parent()
#6220 - Fixed upgrade status for PHP version strings with extra information (thanks @SeriousKen) #6262
Database\Query
: Fixed usingBETWEEN
orNOT BETWEEN
in→where()
clause (thanks @SeriousKen) #6292- Database: Fixed handling of boolean values in prepared statements (thanks @SeriousKen) #6297
- Fix for
Date::round()
not taking timezone into account properly (thanks @SeriousKen) #6264 - Fix header offset when no sticky header #6283
- Fix
k-tabs
inline variable assignment #6324 - Writer field counter correctly strips HTML again #6323
- Keep title and slug when switching template in create dialog #6328
- Panel fields: fix direction for content language #6350
- Tags input: when creating a new tag, the input is now correctly split at the separator into multiple tags #6341
- Fix blocks styling inside layout column #6280
- Fixed page create dialog when used with pages section on user/file blueprint #6190
- Close all nested drawers when navigating #6274
- Object field: inline previews are not editable anymore when the subfield is disabled #6346
- Fix toggle field preview value error #6249
- Table: fix width for image and flag column on mobile #6228
♻️ Refactored
- Slight performance improvements for
Dir::inventory()
#6218 - Clean up
Cms\Blueprint
class #6206 - Fix
v-bind
order #6333 - Use
mounted
lifecycle hooks instead ofcreated
#6336
🧹 Housekeeping
- Unit tests: properly resetting error handlers (thanks to @SeriousKen) #6259
- Upgraded Psalm
- Added performance tests for
Dir::inventory()
with various number of page models #6218 - Added more explicit coverage annotations to
Options
,Query
,Text
and partiallyToolkit
packages tests, including additional tests for uncovered code #6220 - Lab: added GitHub source links for all helpers, libraries and CSS examples #6295
- Removed
Lab\Example::github()
linking to lab example file #6295
4.1.2
🐛 Bug fixes
- Don’t throw an exception in the
permalinksToUrls
method if a model for a UUID cannot be found #6165 - Don't redeclare the
dump
helper if it already exists. This fixes Kirby for Herd Pro users and other cases where dump is already defined by the environment #6250 - Fix emoji overflow issue in
k-icon-frame
#6315 - Fix commands for custom textarea buttons #6039
- More stability for the
toFiles
method by checking for valid file IDs #6318 - Suppress warnings in the Remote class if system CA is outside of
open_basedir
#6316 - Fix tables in the object field and license dialog #6307 and partially #6228
4.1.1
🚨 Security release
This release fixes several vulnerabilities that were all responsibly reported to us in February 2024:
- Unrestricted file upload of user avatar images (medium severity, CVSS score 4.6)
- Cross-site scripting (XSS) in the link field "Custom" type (medium severity, CVSS score 4.6)
- Self cross-site scripting (self-XSS) in the URL field (medium severity, CVSS score 4.2)
Thanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issues.
Updated docs on the Markdown safe mode
During our investigation of the security reports, we noticed that the documentation on the Markdown safe mode was inaccurate and incomplete.
The Markdown safe mode protects Markdown and KirbyText content from cross-site scripting (XSS) attacks. We have already documented the risk of raw HTML, however there are also risks in the Markdown syntax itself (e.g. malicious javascript:
links). These risks are also mitigated by the safe mode. So we strongly recommend this mode for all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The documentation on the safe mode contained a wrong code example that used an invalid safeMode
option instead of the correct safe
option. This has now been corrected. If you already use the safe mode, please check your code.
➡️ Read more
✨ Enhancements
- New
$file->sharpen()
method for images #6227
🐛 Bug fixes
- Fixed
Str::excerpt()
for texts without spaces #6215 - Proper error message when a MIME type of a file is being validated but could not be determined from the file #6095
k-button-group
wrap with long label line. #6231- "Invalid Date" parsing dates in pages section with
layout: table
#6234 - Disable license dialog in demo mode #6271
- Emojis are now working in buttons and the
k-icon
component #6276