This forum has moved, please join us on github discussions. We will keep these old posts available for reference. Thank you!

Apostrophe 2.92.0: bug fixes including an open redirect vulnerability, lean file uploads, and more

  • Bug fix: an open redirect vulnerability has been fixed. It was possible to convince Apostrophe to redirect to a third-party website by appending an escaped URL with a trailing slash added at the end. Apostrophe’s trailing-slash remover would then cause a redirect to the un-escaped version of the slug part of the URL. The fix removes all multiple-slash sequences from the slug part of the URL. This is not a security vulnerability impacting your site as such, but it does prevent phishing attacks that use your website’s URL to appear innocent. Thanks to Bharath for reporting this issue.
  • Bug fix: attempting to save a doc with a required array field without ever opening the array editor formerly caused strange behavior. You now get a standard indication that the field is required.
  • Feature: the method that supplies the choices for a dynamic select element may be a simple synchronous function, if desired. Formerly returning a promise (or using an async function) was mandatory.
  • Feature: apos.utils.post will now accept a FormData object as the data prameter. In this situation JSON encoding is not used. This may be used to easily submit file uploads with Apostrophe’s CSRF protection and is supported at least back to IE11.
1 Like