This release contains several security improvements. Thanks for m10x for making me aware of the issues and assisting in fixing them. The impact of these should be pretty low for anyone running tandoor in a private setting and for anyone using the hosted instance. Detailed reports will follow.
- changed allow configuring external recipe sources only as superuser of the instance
- changed blacklist to prevent certain paths from being used in local external recipes (etc, root, medafiles, usr). If you are using any of them you need to change your configuration
- changed local external import only considers pdf and image types
- changed default nginx config to download mediafiles if opened (setting content disposition Attachement)
- changed allow only image, pdf and office files to be uploaded to the UserFile system
- updated django (security update)