Security Release
This is a security release to improve attachment related permission checks, and URL validation for webhooks.
Upgrade is advised if you allow untrusted users to delete attachments, or if untrusted users have permission to create webhooks on instances which make use of the ALLOWED_SSR_HOSTS BookStack env file option.
Thanks to 404_pkj (GitHub) and naruhodoowl (GitHub) for responsibly reporting these issues.
Full List of Changes
- Updated PHP package versions.
- Updated attachment actions to align page access check.
- Updated URL validation in webhooks to help prevent escaping workarounds.
- Fixed issue where exact search term negation would lead to no results. (#6121)