Skip to content

Security patch: empty salt was usable
Compare
Choose a tag to compare
@Xenthys Xenthys released this 07 Sep 09:28
· 20 commits to master since this release
v2.1.1
7e9948d
This commit was signed with the committer’s verified signature.
Xenthys Dylan Ysmal
GPG key ID: D68FF79CEE9A9B69
Learn about vigilant mode.

A configured salt is necessary for generating security keys. That wasn't true before this commit.
According to the comment above the SALT definition, keeping it empty was supposed to disable the feature. Instead, it kept it insecurely enabled and used the empty salt, giving absolutely predictible security keys considered as valid instead of not returning any. Note that commenting-out the define properly disabled this feature.

If you do not update and have an empty salt, either remove/comment the define, or set a proper one immediately.

Default allowed file extensions have also been edited, showing regex are supported (which they are since the beginning) to make sure users are aware of that possibility as it wasn't documented.

Assets 2
Loading